From ec7f5560a36f10aefc4e90646dc9cbe50ac1d8ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20M=C3=BCller?= Date: Sun, 19 Feb 2023 13:45:48 +0100 Subject: [PATCH] Fix possible integer overflows using `mem_*` functions --- src/engine/client/text.cpp | 2 +- src/game/editor/io.cpp | 5 +++-- src/tools/map_optimize.cpp | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/engine/client/text.cpp b/src/engine/client/text.cpp index 443e624d8..3c8e0df41 100644 --- a/src/engine/client/text.cpp +++ b/src/engine/client/text.cpp @@ -540,7 +540,7 @@ class CTextRender : public IEngineTextRender if(Width > 0 && Height > 0) { // prepare glyph data - mem_zero(ms_aGlyphData, Width * Height); + mem_zero(ms_aGlyphData, (size_t)Width * Height); for(py = 0; py < pBitmap->rows; py++) for(px = 0; px < pBitmap->width; px++) diff --git a/src/game/editor/io.cpp b/src/game/editor/io.cpp index b5fd115a5..63eebb7a9 100644 --- a/src/game/editor/io.cpp +++ b/src/game/editor/io.cpp @@ -511,8 +511,9 @@ bool CEditorMap::Load(class IStorage *pStorage, const char *pFileName, int Stora // copy image data void *pData = DataFile.GetData(pItem->m_ImageData); - pImg->m_pData = malloc((size_t)pImg->m_Width * pImg->m_Height * 4); - mem_copy(pImg->m_pData, pData, pImg->m_Width * pImg->m_Height * 4); + const size_t DataSize = (size_t)pImg->m_Width * pImg->m_Height * 4; + pImg->m_pData = malloc(DataSize); + mem_copy(pImg->m_pData, pData, DataSize); int TextureLoadFlag = m_pEditor->Graphics()->HasTextureArrays() ? IGraphics::TEXLOAD_TO_2D_ARRAY_TEXTURE : IGraphics::TEXLOAD_TO_3D_TEXTURE; if(pImg->m_Width % 16 != 0 || pImg->m_Height % 16 != 0) TextureLoadFlag = 0; diff --git a/src/tools/map_optimize.cpp b/src/tools/map_optimize.cpp index 9602703ca..c0ac1b8bf 100644 --- a/src/tools/map_optimize.cpp +++ b/src/tools/map_optimize.cpp @@ -250,7 +250,7 @@ int main(int argc, const char **argv) } else if(aImageFlags[ImageIndex] == 0) { - mem_zero(pImgBuff, Width * Height * 4); + mem_zero(pImgBuff, (size_t)Width * Height * 4); } else {