codeql: integer-multiplication-cast-to-long

Multiplication result converted to larger type with possible arithmetic overflow. codeql #2, #3, #5
LibreDWG · May 8, 2022 · 1e4991c · 1e4991c
1 parent 6d9a72f
commit 1e4991c
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/src/decode.c b/src/decode.c
@@ -1889,7 +1889,7 @@ read_2004_compressed_section (Bit_Chain *dat, Dwg_Data *restrict dwg,
                  info->name, info->num_sections, info->max_decomp_size);
       return DWG_ERR_VALUEOUTOFBOUNDS;
     }
-  if (info->size > info->num_sections * info->max_decomp_size || info->size < 0)
+  if (info->size > (int64_t)info->num_sections * (int64_t)info->max_decomp_size || info->size < 0)
     {
       LOG_ERROR ("Invalid section %s size %" PRId64 " > %u * " FORMAT_RL,
                  info->name, info->size, info->num_sections, info->max_decomp_size);

diff --git a/src/dwg.spec b/src/dwg.spec
@@ -6159,7 +6159,7 @@ DWG_ENTITY (TABLE)
     VALUEOUTOFBOUNDS (num_rows, 5000)
     FIELD_VECTOR (col_widths, BD, num_cols, 142);
     FIELD_VECTOR (row_heights, BD, num_rows, 141);
-    FIELD_VALUE (num_cells) = FIELD_VALUE (num_rows) * FIELD_VALUE (num_cols);
+    FIELD_VALUE (num_cells) = (unsigned long)FIELD_VALUE (num_rows) * FIELD_VALUE (num_cols);
     #define cell cells[rcount1]
     REPEAT (num_cells, cells, Dwg_TABLE_Cell)
     REPEAT_BLOCK

diff --git a/src/dwg_api.c b/src/dwg_api.c
@@ -23419,7 +23419,7 @@ dwg_add_POLYLINE_PFACE (Dwg_Object_BLOCK_HEADER *restrict blkhdr,
   API_ADD_ENTITY (POLYLINE_PFACE);
   pl = obj;
   _pl = _obj;
-  _pl->vertex = malloc ((numverts + numfaces) * sizeof (BITCODE_H));
+  _pl->vertex = malloc (((unsigned long)numverts + numfaces) * sizeof (BITCODE_H));
   if (!_pl->vertex)
     return NULL;
   _pl->has_vertex = 1;