From 5c2f31d8d6e5f24962300f4608a0d6f887ca3bea Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Thu, 12 Sep 2024 22:05:52 +0200 Subject: [PATCH] cursor: Gracefully handle huge cursor files If cursor files require more than INT_MAX bytes, it is possible to trigger out of boundary writes. Since these sizes are most likely not desired anyway, gracefully handle these situations like out of memory errors. Signed-off-by: Tobias Stoeckmann --- cursor/wayland-cursor.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/cursor/wayland-cursor.c b/cursor/wayland-cursor.c index 636f5166..f3fef157 100644 --- a/cursor/wayland-cursor.c +++ b/cursor/wayland-cursor.c @@ -27,6 +27,7 @@ #include "xcursor.h" #include "wayland-cursor.h" #include "wayland-client.h" +#include #include #include #include @@ -284,7 +285,8 @@ wl_cursor_create_from_xcursor_images(struct xcursor_images *images, { struct cursor *cursor; struct cursor_image *image; - int i, size; + size_t size; + int i; cursor = malloc(sizeof *cursor); if (!cursor) @@ -314,7 +316,12 @@ wl_cursor_create_from_xcursor_images(struct xcursor_images *images, image->image.hotspot_y = images->images[i]->yhot; image->image.delay = images->images[i]->delay; - size = image->image.width * image->image.height * 4; + size = (size_t) image->image.width * image->image.height * 4; + if (size > INT_MAX) { + free(image); + break; + } + image->offset = shm_pool_allocate(theme->pool, size); if (image->offset < 0) { free(image); @@ -389,6 +396,9 @@ wl_cursor_theme_load(const char *name, int size, struct wl_shm *shm) if (!theme) return NULL; + if (size < 0 || (size > 0 && INT_MAX / size / 4 < size)) + return NULL; + if (!name) name = "default";