From 44688e270216b92c3b2f1a759f7be840ec6c3b71 Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Mon, 22 Feb 2021 10:02:03 +0000 Subject: [PATCH 1/2] fix int overflow in vips_region_copy this could cause crashes with very wide images, see: https://github.com/libvips/libvips/issues/1989 --- libvips/iofuncs/region.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libvips/iofuncs/region.c b/libvips/iofuncs/region.c index 89d215ab..27426bb4 100644 --- a/libvips/iofuncs/region.c +++ b/libvips/iofuncs/region.c @@ -48,6 +48,9 @@ * 9/6/19 * - saner behaviour for vips_region_fetch() if the request is partly * outside the image + * 22/2/21 f1ac + * - fix int overflow in vips_region_copy(), could cause crashes with + * very wide images */ /* @@ -1048,12 +1051,13 @@ void vips_region_copy( VipsRegion *reg, VipsRegion *dest, const VipsRect *r, int x, int y ) { - int z; - int len = VIPS_IMAGE_SIZEOF_PEL( reg->im ) * r->width; + size_t len = VIPS_IMAGE_SIZEOF_PEL( reg->im ) * r->width; VipsPel *p = VIPS_REGION_ADDR( reg, r->left, r->top ); VipsPel *q = VIPS_REGION_ADDR( dest, x, y ); - int plsk = VIPS_REGION_LSKIP( reg ); - int qlsk = VIPS_REGION_LSKIP( dest ); + size_t plsk = VIPS_REGION_LSKIP( reg ); + size_t qlsk = VIPS_REGION_LSKIP( dest ); + + int z; #ifdef DEBUG /* Find the area we will write to in dest. From ec67002493b5b16273538d7fc14d9a4dfea91a8f Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Mon, 22 Feb 2021 10:06:14 +0000 Subject: [PATCH 2/2] update changelog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index c02d3a47..0b6981a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ - better error detection in spngload [randy408] - fix includes of glib headers in C++ [lovell] - fix build with more modern librsvg [lovell] +- fix a possible segv with very wide images [f1ac] 18/12/20 started 8.10.5 - fix potential /0 in animated webp load [lovell]