1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c Mon Sep 17 00:00:00 2001
From: Sam Hocevar <sam@hocevar.net>
Date: Sat, 29 Dec 2018 22:13:56 +0100
Subject: [PATCH] dither: fix integer overflows that were causing a division by
zero.
Fixes: #36 (CVE-2018-20544)
---
caca/dither.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/caca/dither.c b/caca/dither.c
index 04b678e0..c6ebab1b 100644
--- a/caca/dither.c
+++ b/caca/dither.c
@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h,
/* First get RGB */
if(d->antialias)
{
- fromx = (x - x1) * w / deltax;
- fromy = (y - y1) * h / deltay;
- tox = (x - x1 + 1) * w / deltax;
- toy = (y - y1 + 1) * h / deltay;
+ fromx = (uint64_t)(x - x1) * w / deltax;
+ fromy = (uint64_t)(y - y1) * h / deltay;
+ tox = (uint64_t)(x - x1 + 1) * w / deltax;
+ toy = (uint64_t)(y - y1 + 1) * h / deltay;
/* We want at least one pixel */
if(tox == fromx) tox++;
@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h,
}
else
{
- fromx = (x - x1) * w / deltax;
- fromy = (y - y1) * h / deltay;
- tox = (x - x1 + 1) * w / deltax;
- toy = (y - y1 + 1) * h / deltay;
+ fromx = (uint64_t)(x - x1) * w / deltax;
+ fromy = (uint64_t)(y - y1) * h / deltay;
+ tox = (uint64_t)(x - x1 + 1) * w / deltax;
+ toy = (uint64_t)(y - y1 + 1) * h / deltay;
/* tox and toy can overflow the canvas, but they cannot overflow
* when averaged with fromx and fromy because these are guaranteed
|