swftools icon indicating copy to clipboard operation
swftools copied to clipboard

Published 20 hours ago verified publisher icon matthiaskramm

Integer overflow occurs when extracting large lossless image with swfextract.

Open yoya opened this issue 4 years ago • 0 comments

See here for the outline. https://github.com/matthiaskramm/swftools/pull/71

int = signed 32-bit environment, this might be a bad thing.

    datalen = (width*height*bpp/8+cols*8);
    do {
        if(data)

width*height*bpp => 7083 * 9744 * 32 => 0x83A39600 =(signed) => -2086431232

datalen can be calculated accurately from the information of lossless tag, the current process of iterating malloc & uncompress (start from a rough estimate) is not good.

I suggested this bug fix in this PR. https://github.com/matthiaskramm/swftools/pull/152

yoya avatar Oct 13 '20 15:10 yoya