diff options
| -rw-r--r-- | src/html.cc | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/html.cc b/src/html.cc index f05beb51..83c52a18 100644 --- a/src/html.cc +++ b/src/html.cc @@ -1984,7 +1984,18 @@ DilloImage *a_Html_image_new(DilloHtml *html, const char *tag, h = (int) (CSS_LENGTH_TYPE(l_h) == CSS_LENGTH_TYPE_PX ? CSS_LENGTH_VALUE(l_h) : 0); } - if (w < 0 || h < 0 || abs(w*h) > IMAGE_MAX_AREA) { + /* Check for suspicious image size request that would cause + * an excessive amount of memory to be allocated for the + * image buffer. + * Be careful to avoid integer overflows during the checks. + * There is an additional check in dw/image.cc to catch cases + * where only one dimension is given and the image is scaled + * preserving it's original aspect ration. + * Size requests passed via CSS are also checked there. + */ + if (w < 0 || h < 0 || + w > IMAGE_MAX_AREA || h > IMAGE_MAX_AREA || + (h > 0 && w > IMAGE_MAX_AREA / h)) { dFree(width_ptr); dFree(height_ptr); width_ptr = height_ptr = NULL; |