From b1329d7eaa52a11c73b75d19d20bd8f6d11ac535 Mon Sep 17 00:00:00 2001
From: Ray Molenkamp <github@lazydodo.com>
Date: Thu, 14 Jul 2022 12:18:35 -0600
Subject: Fix T99705: fix integer overflow in thumbnail extractor

It was smart enough to check if the buffer had the right
size but neglected to cast to a 64 bit value so it
overflowed.

Differential Revision: https://developer.blender.org/D15457
Reviewed By: brecht
---
 source/blender/blendthumb/src/blendthumb_extract.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'source/blender/blendthumb/src')

diff --git a/source/blender/blendthumb/src/blendthumb_extract.cc b/source/blender/blendthumb/src/blendthumb_extract.cc
index de1f50dfdce..369da559fc8 100644
--- a/source/blender/blendthumb/src/blendthumb_extract.cc
+++ b/source/blender/blendthumb/src/blendthumb_extract.cc
@@ -134,7 +134,8 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file,
 
         /* Verify that image dimensions and data size make sense. */
         size_t data_size = block_size - 8;
-        const size_t expected_size = thumb->width * thumb->height * 4;
+        const uint64_t expected_size = static_cast<uint64_t>(thumb->width) *
+                                       static_cast<uint64_t>(thumb->height) * 4;
         if (thumb->width < 0 || thumb->height < 0 || data_size != expected_size) {
           return BT_INVALID_THUMB;
         }
-- 
cgit v1.2.3