From 94450a1d7404e52322d2f61715e1d7a4669137b5 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 28 Sep 2018 18:02:11 +0200
Subject: [PATCH] lib: Fix fpi_img_is_sane()

The checks weren't:
- checking whether the width or height were negative
- whether img->width * img->height would overflow, or
  was bigger than G_MAXINT
- whether img->width * img->height was bigger than the total
  length of the buffer

The last one looks like a thinko, it checked for:
(img->length * img->height) < img->length
which is equivalent to:
img->height < 1
which we already check for earlier.

Closes: #85
---
 libfprint/fpi-img.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libfprint/fpi-img.c b/libfprint/fpi-img.c
index 34c9c383..8691bd6d 100644
--- a/libfprint/fpi-img.c
+++ b/libfprint/fpi-img.c
@@ -69,12 +69,19 @@ struct fp_img *fpi_img_new_for_imgdev(struct fp_img_dev *imgdev)
 
 gboolean fpi_img_is_sane(struct fp_img *img)
 {
+	guint len;
+
 	/* basic checks */
-	if (!img->length || !img->width || !img->height)
+	if (!img->length || img->width <= 0 || img->height <= 0)
 		return FALSE;
 
-	/* buffer is big enough? */
-	if ((img->length * img->height) < img->length)
+	/* Are width and height just too big? */
+	if (!g_uint_checked_mul(&len, img->width, img->height) ||
+	    len > G_MAXINT)
+		return FALSE;
+
+	/* buffer big enough? */
+	if (len > img->length)
 		return FALSE;
 
 	return TRUE;