From 202be57bb94b2bd65db9164bfd94ad2ec5167071 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@gmx.de>
Date: Sun, 16 Jun 2013 19:01:46 +0200
Subject: draw: add badrect() function to reject zero, negative size or orverly
 huge rectangles

not checking the rectangle dimensions causes integer overflows
and memory corruption. adding a new badrect() function that checks
for these cases.
---
 sys/src/libmemdraw/cload.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sys/src/libmemdraw/cload.c')

diff --git a/sys/src/libmemdraw/cload.c b/sys/src/libmemdraw/cload.c
index 5e068cba0..b70c23603 100644
--- a/sys/src/libmemdraw/cload.c
+++ b/sys/src/libmemdraw/cload.c
@@ -9,7 +9,7 @@ cloadmemimage(Memimage *i, Rectangle r, uchar *data, int ndata)
 	int y, bpl, c, cnt, offs;
 	uchar mem[NMEM], *memp, *omemp, *emem, *linep, *elinep, *u, *eu;
 
-	if(!rectinrect(r, i->r))
+	if(badrect(r) || !rectinrect(r, i->r))
 		return -1;
 	bpl = bytesperline(r, i->depth);
 	u = data;
-- 
cgit v1.2.3