From 44688e270216b92c3b2f1a759f7be840ec6c3b71 Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Mon, 22 Feb 2021 10:02:03 +0000 Subject: [PATCH] fix int overflow in vips_region_copy this could cause crashes with very wide images, see: https://github.com/libvips/libvips/issues/1989 --- libvips/iofuncs/region.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libvips/iofuncs/region.c b/libvips/iofuncs/region.c index 89d215ab..27426bb4 100644 --- a/libvips/iofuncs/region.c +++ b/libvips/iofuncs/region.c @@ -48,6 +48,9 @@ * 9/6/19 * - saner behaviour for vips_region_fetch() if the request is partly * outside the image + * 22/2/21 f1ac + * - fix int overflow in vips_region_copy(), could cause crashes with + * very wide images */ /* @@ -1048,12 +1051,13 @@ void vips_region_copy( VipsRegion *reg, VipsRegion *dest, const VipsRect *r, int x, int y ) { - int z; - int len = VIPS_IMAGE_SIZEOF_PEL( reg->im ) * r->width; + size_t len = VIPS_IMAGE_SIZEOF_PEL( reg->im ) * r->width; VipsPel *p = VIPS_REGION_ADDR( reg, r->left, r->top ); VipsPel *q = VIPS_REGION_ADDR( dest, x, y ); - int plsk = VIPS_REGION_LSKIP( reg ); - int qlsk = VIPS_REGION_LSKIP( dest ); + size_t plsk = VIPS_REGION_LSKIP( reg ); + size_t qlsk = VIPS_REGION_LSKIP( dest ); + + int z; #ifdef DEBUG /* Find the area we will write to in dest.