29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
|
# HG changeset patch
|
||
|
|
# User Sam Lantinga <slouken@libsdl.org>
|
||
|
|
# Date 1507331870 25200
|
||
|
|
# Fri Oct 06 16:17:50 2017 -0700
|
||
|
|
# Node ID 7e0f1498ddb549a338a220534875529ef0ba55ce
|
||
|
|
# Parent dc7245e3d1f2ae032caa7776940af4aebe6afc05
|
||
|
|
Fixed potential overflow in surface allocation (thanks Yves!)
|
||
|
|
|
||
|
|
diff -r dc7245e3d1f2 -r 7e0f1498ddb5 src/video/SDL_surface.c
|
||
|
|
--- a/src/video/SDL_surface.c Thu Oct 05 09:37:28 2017 -0700
|
||
|
|
+++ b/src/video/SDL_surface.c Fri Oct 06 16:17:50 2017 -0700
|
||
|
|
@@ -80,7 +80,15 @@
|
||
|
|
|
||
|
|
/* Get the pixels */
|
||
|
|
if (surface->w && surface->h) {
|
||
|
|
- surface->pixels = SDL_malloc(surface->h * surface->pitch);
|
||
|
|
+ int size = (surface->h * surface->pitch);
|
||
|
|
+ if (size < 0 || (size / surface->pitch) != surface->h) {
|
||
|
|
+ /* Overflow... */
|
||
|
|
+ SDL_FreeSurface(surface);
|
||
|
|
+ SDL_OutOfMemory();
|
||
|
|
+ return NULL;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
+ surface->pixels = SDL_malloc(size);
|
||
|
|
if (!surface->pixels) {
|
||
|
|
SDL_FreeSurface(surface);
|
||
|
|
SDL_OutOfMemory();
|