better validate numeric hatch values for fills

author Tony Cook <tony@develop-help.com>

Mon, 31 Dec 2018 11:22:01 +0000 (22:22 +1100)

committer Tony Cook <tony@develop-help.com>

Mon, 31 Dec 2018 11:22:01 +0000 (22:22 +1100)
author Tony Cook <tony@develop-help.com>
Mon, 31 Dec 2018 11:22:01 +0000 (22:22 +1100)
committer Tony Cook <tony@develop-help.com>
Mon, 31 Dec 2018 11:22:01 +0000 (22:22 +1100)
diff --git a/Changes b/Changes

index 82644d70820cbf946c15e97285d8493f9fd92685..27b0f412211936d91ff188adb2f2b15f8dea25f7 100644 (file)
--- a/Changes
+++ b/Changes
@@ -21,6 +21,11 @@ Coverity finally finished a build, fix a few problems:
   - addi style makemap could potentially read one past the end of an
     array.
  
+ - supplying a numeric hatch of 32 to Imager::Fill->new(hatch => ...)
+   would result in read beyond the end of the built-in hatch array.
+   Negative values (which Coverity didn't complain about) could also
+   cause problems.
+
  Imager 1.008 - 31 Dec 2018
  ============
  
diff --git a/fills.c b/fills.c

index 52c51c8e2ba5d3316711dbff52ec157dbe412a04..479f9d49f4cfdb43c14894b867de810972b45d47 100644 (file)
--- a/fills.c
+++ b/fills.c
@@ -672,8 +672,10 @@ i_new_hatch_low(const i_color *fg, const i_color *bg,
      memcpy(fill->hatch, cust_hatch, 8);
    }
    else {
-    if (hatch > sizeof(builtin_hatches)/sizeof(*builtin_hatches)) 
+    if (hatch >= sizeof(builtin_hatches)/sizeof(*builtin_hatches)
+       || hatch < 0) {
        hatch = 0;
+    }
      memcpy(fill->hatch, builtin_hatches[hatch], 8);
    }
    fill->dx = dx & 7;
author	Tony Cook <tony@develop-help.com>
	Mon, 31 Dec 2018 11:22:01 +0000 (22:22 +1100)
committer	Tony Cook <tony@develop-help.com>
	Mon, 31 Dec 2018 11:22:01 +0000 (22:22 +1100)
Changes		patch \| blob \| blame \| history
fills.c		patch \| blob \| blame \| history