Fix potential integer overflow detected by oss-fuzz
parent
0be6aec0fe
commit
9ed642764c
12
src/gd.c
12
src/gd.c
|
@ -1884,6 +1884,8 @@ BGD_DECLARE(void) gdImageChar (gdImagePtr im, gdFontPtr f, int x, int y, int c,
|
|||
int cx, cy;
|
||||
int px, py;
|
||||
int fline;
|
||||
const int xuppper = (x > INT_MAX - f->w) ? INT_MAX : x + f->w;
|
||||
const int yuppper = (y > INT_MAX - f->h) ? INT_MAX : y + f->h;
|
||||
cx = 0;
|
||||
cy = 0;
|
||||
#ifdef CHARSET_EBCDIC
|
||||
|
@ -1893,8 +1895,8 @@ BGD_DECLARE(void) gdImageChar (gdImagePtr im, gdFontPtr f, int x, int y, int c,
|
|||
return;
|
||||
}
|
||||
fline = (c - f->offset) * f->h * f->w;
|
||||
for (py = y; (py < (y + f->h)); py++) {
|
||||
for (px = x; (px < (x + f->w)); px++) {
|
||||
for (py = y; py < yuppper; py++) {
|
||||
for (px = x; px < xuppper; px++) {
|
||||
if (f->data[fline + cy * f->w + cx]) {
|
||||
gdImageSetPixel (im, px, py, color);
|
||||
}
|
||||
|
@ -1913,6 +1915,8 @@ BGD_DECLARE(void) gdImageCharUp (gdImagePtr im, gdFontPtr f, int x, int y, int c
|
|||
int cx, cy;
|
||||
int px, py;
|
||||
int fline;
|
||||
const int xuppper = (x > INT_MAX - f->h) ? INT_MAX : x + f->h;
|
||||
const int ylower = (y < INT_MIN + f->w) ? INT_MIN : y - f->w;
|
||||
cx = 0;
|
||||
cy = 0;
|
||||
#ifdef CHARSET_EBCDIC
|
||||
|
@ -1922,8 +1926,8 @@ BGD_DECLARE(void) gdImageCharUp (gdImagePtr im, gdFontPtr f, int x, int y, int c
|
|||
return;
|
||||
}
|
||||
fline = (c - f->offset) * f->h * f->w;
|
||||
for (py = y; (py > (y - f->w)); py--) {
|
||||
for (px = x; (px < (x + f->h)); px++) {
|
||||
for (py = y; py > ylower; py--) {
|
||||
for (px = x; px < xuppper; px++) {
|
||||
if (f->data[fline + cy * f->w + cx]) {
|
||||
gdImageSetPixel (im, px, py, color);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue