From 3d56a7fc6ed2fd52b7da2fc4209233cbbc04c761 Mon Sep 17 00:00:00 2001
From: Johannes Hofmann <Johannes.Hofmann@gmx.de>
Date: Mon, 29 Jun 2009 18:59:45 +0200
Subject: use IMAGE_MAX_AREA instead of IMAGE_MAX_W and IMAGE_MAX_H

---
 src/gif.c    | 2 +-
 src/html.cc  | 2 +-
 src/image.hh | 4 +---
 src/jpeg.c   | 2 +-
 src/png.c    | 2 +-
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/gif.c b/src/gif.c
index 4a2bb847..3df83d20 100644
--- a/src/gif.c
+++ b/src/gif.c
@@ -815,7 +815,7 @@ static size_t Gif_do_img_desc(DilloGif *gif, void *Buf,
 
    /* check max image size */
    if (gif->Width <= 0 || gif->Height <= 0 ||
-       gif->Width > (IMAGE_MAX_W * IMAGE_MAX_H) / gif->Height) {
+       gif->Width > IMAGE_MAX_AREA / gif->Height) {
       MSG("Gif_do_img_desc: suspicious image size request %ux%u\n",
           gif->Width, gif->Height);
       gif->state = 999;
diff --git a/src/html.cc b/src/html.cc
index 493290ff..f05beb51 100644
--- a/src/html.cc
+++ b/src/html.cc
@@ -1984,7 +1984,7 @@ DilloImage *a_Html_image_new(DilloHtml *html, const char *tag,
       h = (int) (CSS_LENGTH_TYPE(l_h) == CSS_LENGTH_TYPE_PX ?
                  CSS_LENGTH_VALUE(l_h) : 0);
    }
-   if (w < 0 || h < 0 || abs(w*h) > IMAGE_MAX_W * IMAGE_MAX_H) {
+   if (w < 0 || h < 0 || abs(w*h) > IMAGE_MAX_AREA) {
       dFree(width_ptr);
       dFree(height_ptr);
       width_ptr = height_ptr = NULL;
diff --git a/src/image.hh b/src/image.hh
index 8291ffb4..530e71f2 100644
--- a/src/image.hh
+++ b/src/image.hh
@@ -17,9 +17,7 @@ extern "C" {
  */
 
 /* Arbitrary maximum for image size (to avoid image size-crafting attacks). */
-#define IMAGE_MAX_W  6000
-#define IMAGE_MAX_H  6000
-
+#define IMAGE_MAX_AREA (6000 * 6000)
 
 /*
  * Types
diff --git a/src/jpeg.c b/src/jpeg.c
index 4a5f4118..b73a1672 100644
--- a/src/jpeg.c
+++ b/src/jpeg.c
@@ -282,7 +282,7 @@ static void Jpeg_write(DilloJpeg *jpeg, void *Buf, uint_t BufSize)
          /* check max image size */
          if (jpeg->cinfo.image_width <= 0 || jpeg->cinfo.image_height <= 0 ||
              jpeg->cinfo.image_width > 
-             (IMAGE_MAX_W * IMAGE_MAX_H) / jpeg->cinfo.image_height) {
+             IMAGE_MAX_AREA / jpeg->cinfo.image_height) {
             MSG("Jpeg_write: suspicious image size request %ux%u\n",
                 (uint_t)jpeg->cinfo.image_width,
                 (uint_t)jpeg->cinfo.image_height);
diff --git a/src/png.c b/src/png.c
index 98211ffe..353ebaa3 100644
--- a/src/png.c
+++ b/src/png.c
@@ -136,7 +136,7 @@ Png_datainfo_callback(png_structp png_ptr, png_infop info_ptr)
 
    /* check max image size */
    if (png->width <= 0 || png->height <= 0 ||
-       png->width > (IMAGE_MAX_W * IMAGE_MAX_H) / png->height) {
+       png->width > IMAGE_MAX_AREA / png->height) {
       MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n",
           png->width, png->height);
       Png_error_handling(png_ptr, "Aborting...");
-- 
cgit v1.2.3