From 202be57bb94b2bd65db9164bfd94ad2ec5167071 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@gmx.de>
Date: Sun, 16 Jun 2013 19:01:46 +0200
Subject: draw: add badrect() function to reject zero, negative size or orverly
 huge rectangles

not checking the rectangle dimensions causes integer overflows
and memory corruption. adding a new badrect() function that checks
for these cases.
---
 sys/src/libdraw/alloc.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'sys/src/libdraw/alloc.c')

diff --git a/sys/src/libdraw/alloc.c b/sys/src/libdraw/alloc.c
index 7884321ac..256378f36 100644
--- a/sys/src/libdraw/alloc.c
+++ b/sys/src/libdraw/alloc.c
@@ -26,6 +26,10 @@ _allocimage(Image *ai, Display *d, Rectangle r, ulong chan, int repl, ulong val,
 	err = 0;
 	i = 0;
 
+	if(badrect(r)){
+		werrstr("bad rectangle");
+		return nil;
+	}
 	if(chan == 0){
 		werrstr("bad channel descriptor");
 		return nil;
-- 
cgit v1.2.3