diff options
| author | Oleg Oshmyan <chortos@inbox.lv> | 2017-02-03 15:13:48 +0200 |
|---|---|---|
| committer | Oleg Oshmyan <chortos@inbox.lv> | 2020-10-18 05:01:31 +0300 |
| commit | 3250a3b784f3b76d476943ab9ffd880c720ecb10 (patch) | |
| tree | 00a35cdb20644f7696bc6f9aa246aca4d3f01a23 | |
| parent | 59349a70589f3cd97a608fee67da5d27b9944242 (diff) | |
| download | libass-3250a3b784f3b76d476943ab9ffd880c720ecb10.tar.bz2 libass-3250a3b784f3b76d476943ab9ffd880c720ecb10.tar.xz | |
Prevent int overflow where unsigned wraparound is desired
On exotic (or future) platforms, types such as size_t and uint32_t may
be promoted to int, which allows multiplication, addition and left-shift
operations on these types to overflow (and produce undefined behavior).
To avoid this, make sure that the affected arithmetic operators convert
any promoted operands to unsigned int by the usual arithmetic conversions.
| -rw-r--r-- | libass/ass_strtod.c | 2 | ||||
| -rw-r--r-- | libass/ass_utils.c | 8 |
2 files changed, 5 insertions, 5 deletions
diff --git a/libass/ass_strtod.c b/libass/ass_strtod.c index 3b9ec3f..47302a8 100644 --- a/libass/ass_strtod.c +++ b/libass/ass_strtod.c @@ -259,7 +259,7 @@ ass_strtod( } else if (exp > ((size_t) -1 - (*p - '0')) / 10) { expWraparound = 1; } - exp = exp * 10 + (*p - '0'); + exp = exp * 10u + (*p - '0'); p += 1; } if (expSign == fracExpSign) { diff --git a/libass/ass_utils.c b/libass/ass_utils.c index 893e2c5..7fba778 100644 --- a/libass/ass_utils.c +++ b/libass/ass_utils.c @@ -154,14 +154,14 @@ void rskip_spaces(char **str, char *limit) *str = p; } -static int read_digits(char **str, int base, uint32_t *res) +static int read_digits(char **str, unsigned base, uint32_t *res) { char *p = *str; char *start = p; uint32_t val = 0; while (1) { - int digit; + unsigned digit; if (*p >= '0' && *p < FFMIN(base, 10) + '0') digit = *p - '0'; else if (*p >= 'a' && *p < base - 10 + 'a') @@ -184,7 +184,7 @@ static int read_digits(char **str, int base, uint32_t *res) * Follows the rules for strtoul but reduces the number modulo 2**32 * instead of saturating it to 2**32 - 1. */ -static int mystrtou32_modulo(char **p, int base, uint32_t *res) +static int mystrtou32_modulo(char **p, unsigned base, uint32_t *res) { // This emulates scanf with %d or %x format as it works on // Windows, because that's what is used by VSFilter. In practice, @@ -240,7 +240,7 @@ uint32_t parse_color_tag(char *str) uint32_t parse_color_header(char *str) { uint32_t color = 0; - int base; + unsigned base; if (!ass_strncasecmp(str, "&h", 2) || !ass_strncasecmp(str, "0x", 2)) { str += 2; |