diff options
Diffstat (limited to 'source/blender/blendthumb')
-rw-r--r-- | source/blender/blendthumb/CMakeLists.txt | 2 | ||||
-rw-r--r-- | source/blender/blendthumb/src/blendthumb_extract.cc | 8 |
2 files changed, 7 insertions, 3 deletions
diff --git a/source/blender/blendthumb/CMakeLists.txt b/source/blender/blendthumb/CMakeLists.txt index 330cefa247a..6160d225d45 100644 --- a/source/blender/blendthumb/CMakeLists.txt +++ b/source/blender/blendthumb/CMakeLists.txt @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-or-later # Copyright 2006 Blender Foundation. All rights reserved. -#----------------------------------------------------------------------------- +# ----------------------------------------------------------------------------- # Shared Thumbnail Extraction Logic include_directories( diff --git a/source/blender/blendthumb/src/blendthumb_extract.cc b/source/blender/blendthumb/src/blendthumb_extract.cc index de1f50dfdce..fff1242f2ce 100644 --- a/source/blender/blendthumb/src/blendthumb_extract.cc +++ b/source/blender/blendthumb/src/blendthumb_extract.cc @@ -121,6 +121,9 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file, while (file_read(file, bhead_data, bhead_size)) { /* Parse type and size from `BHead`. */ const int32_t block_size = bytes_to_native_i32(&bhead_data[4], endian_switch); + if (UNLIKELY(block_size < 0)) { + return BT_INVALID_THUMB; + } /* We're looking for the thumbnail, so skip any other block. */ switch (*((int32_t *)bhead_data)) { @@ -133,8 +136,9 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file, thumb->height = bytes_to_native_i32(&shape[4], endian_switch); /* Verify that image dimensions and data size make sense. */ - size_t data_size = block_size - 8; - const size_t expected_size = thumb->width * thumb->height * 4; + size_t data_size = block_size - sizeof(shape); + const uint64_t expected_size = static_cast<uint64_t>(thumb->width) * + static_cast<uint64_t>(thumb->height) * 4; if (thumb->width < 0 || thumb->height < 0 || data_size != expected_size) { return BT_INVALID_THUMB; } |