check u->width is non-zero and implement stricter integer overflow check

warmcat · May 30, 2024 · b4c5d28 · b4c5d28
1 parent 1e0953f
commit b4c5d28
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/misc/upng.c b/lib/misc/upng.c
@@ -462,6 +462,11 @@ lws_upng_decode(lws_upng_t* u, const uint8_t **_pos, size_t *_size)
 			u->u.y		= 0;
 			u->u.ibp	= 0;
 			u->u.bypp	= (u->u.bpp + 7) / 8;
+			if (!u->width) {
+					lwsl_err("%s: u->width > 0 is required",
+						 __func__);
+				return LWS_SRET_FATAL + 27;
+			}
 			u->inf.bypl = u->u.bypl	= u->width * u->u.bypp;
 
 			u->inf.outlen	= u->inf.info_size;
@@ -484,7 +489,7 @@ lws_upng_decode(lws_upng_t* u, const uint8_t **_pos, size_t *_size)
 			if (!u->inf.out) {
 				size_t ims = (u->u.bypl * 2) + u->inf.info_size;
 
-				if (u->inf.info_size > ims) {
+				if (u->u.bypl > UINT_MAX / 2 || u->inf.info_size > UINT_MAX - (u->u.bypl * 2)) {
 					lwsl_err("%s: integer overflow occur in ims %llu",
 						 __func__, (unsigned long long)ims);
 					return LWS_SRET_FATAL + 27;