From 3311fc00010c6cb305d87525c9ef60ebdf036cfc Mon Sep 17 00:00:00 2001 From: DRC Date: Wed, 7 Apr 2021 14:20:49 -0500 Subject: [PATCH] rdbmp.c: Fix innocuous UBSan error A fuzzing test case with an image width of 838860946 triggered a UBSan error: rdbmp.c:633:34: runtime error: signed integer overflow: 838860946 * 3 cannot be represented in type 'int' Because the result is cast to an unsigned int (JDIMENSION), this error is irrelevant, because (unsigned int)((int)838860946 * (int)3) == (unsigned int)838860946 * (unsigned int)3 --- rdbmp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rdbmp.c b/rdbmp.c index 6ba584af..c6ce2948 100644 --- a/rdbmp.c +++ b/rdbmp.c @@ -6,7 +6,7 @@ * Modified 2009-2017 by Guido Vollbeding. * libjpeg-turbo Modifications: * Modified 2011 by Siarhei Siamashka. - * Copyright (C) 2015, 2017-2018, D. R. Commander. + * Copyright (C) 2015, 2017-2018, 2021, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -631,7 +631,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) /* Allocate one-row buffer for returned data */ source->pub.buffer = (*cinfo->mem->alloc_sarray) ((j_common_ptr)cinfo, JPOOL_IMAGE, - (JDIMENSION)(biWidth * cinfo->input_components), (JDIMENSION)1); + (JDIMENSION)biWidth * (JDIMENSION)cinfo->input_components, (JDIMENSION)1); source->pub.buffer_height = 1; cinfo->data_precision = 8;