From 7b5aa50ddf0c879786830d633bbcba9332046217 Mon Sep 17 00:00:00 2001
From: Turo Lamminen <turotl@gmail.com>
Date: Sat, 09 May 2015 14:20:56 +0000
Subject: [PATCH] Avoid integer overflow and resulting crash when advertised texture size is too large

---
 mojodds.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/mojodds.c b/mojodds.c
index 1e2a322..c5e8124 100644
--- a/mojodds.c
+++ b/mojodds.c
@@ -337,10 +337,15 @@
         // TODO: also do this for other texture types
         uint32 wd = header->dwWidth;
         uint32 ht = header->dwHeight;
-        uint32 dataLen = 0;
+        uint32_t dataLen = 0;
         for (i = 0; i < (int)*_miplevels; i++)
         {
-            dataLen += MAX((wd + blockDim - 1) / blockDim, 1) * MAX((ht + blockDim - 1) / blockDim, 1) * blockSize;
+            uint32_t mipLen = MAX((wd + blockDim - 1) / blockDim, 1) * MAX((ht + blockDim - 1) / blockDim, 1) * blockSize;
+            if (UINT32_MAX - mipLen < dataLen) {
+                // data size would overflow 32-bit uint, invalid file
+                return 0;
+            }
+            dataLen += mipLen;
             wd >>= 1;
             ht >>= 1;
         }

--
Gitblit v1.9.3