diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-12-27 18:32:54 -0500 |
---|---|---|
committer | Kostya Serebryany <konstantin.s.serebryany@gmail.com> | 2016-12-27 15:32:54 -0800 |
commit | c3a44cb1e38226fa5078456f6c40415200090472 (patch) | |
tree | 5185782f020ab93b19d4bf560b5741244556f5f6 /projects/libjpeg-turbo | |
parent | c4ac474aef6c84d42d2f8c7077613cc7f11c495f (diff) | |
download | oss-fuzz-c3a44cb1e38226fa5078456f6c40415200090472.tar.gz |
Don't overflow on multiplication in the libjpeg_turbo fuzzer (#218)
Diffstat (limited to 'projects/libjpeg-turbo')
-rw-r--r-- | projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc b/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc index 1cee173df..838e5368a 100644 --- a/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc +++ b/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc @@ -32,8 +32,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { jpegDecompressor, data, size, &width, &height, &subsamp, &colorspace); // Bail out if decompressing the headers failed, the width or height is 0, - // or the image is too large (avoids slowing down too much) - if (res != 0 || width == 0 || height == 0 || (width * height > (1024 * 1024))) { + // or the image is too large (avoids slowing down too much). Cast to size_t to + // avoid overflows on the multiplication + if (res != 0 || width == 0 || height == 0 || ((size_t)width * height > (1024 * 1024))) { tjDestroy(jpegDecompressor); return 0; } |