From 3e4d0b69d4a4568e68331400280e07ad819b4d5f Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Tue, 2 Jan 2024 00:54:36 +0100
Subject: [PATCH] gdkpng: Make the png loader safer against overflows

Load images that result in a texture >4GB in size.

And now let me keep playing with my 60k x 60k image, thanks.
I'm trying to OOM my GPU.
---
 gdk/loaders/gdkpng.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/gdk/loaders/gdkpng.c b/gdk/loaders/gdkpng.c
index 954a2e48d4..aca5d48fdb 100644
--- a/gdk/loaders/gdkpng.c
+++ b/gdk/loaders/gdkpng.c
@@ -137,8 +137,9 @@ gdk_load_png (GBytes  *bytes,
   png_struct *png = NULL;
   png_info *info;
   guint width, height;
+  gsize i, stride;
   int depth, color_type;
-  int interlace, stride;
+  int interlace;
   GdkMemoryFormat format;
   guchar *buffer = NULL;
   guchar **row_pointers = NULL;
@@ -263,9 +264,14 @@ gdk_load_png (GBytes  *bytes,
     }
 
   bpp = gdk_memory_format_bytes_per_pixel (format);
-  stride = width * bpp;
-  if (stride % 8)
-    stride += 8 - stride % 8;
+  if (!g_size_checked_mul (&stride, width, bpp) ||
+      !g_size_checked_add (&stride, stride, (8 - stride % 8) % 8))
+    {
+      g_set_error (error,
+                   GDK_TEXTURE_ERROR, GDK_TEXTURE_ERROR_TOO_LARGE,
+                   _("Image stride too large for image size %ux%u"), width, height);
+      return NULL;
+    }
 
   buffer = g_try_malloc_n (height, stride);
   row_pointers = g_try_malloc_n (height, sizeof (char *));
@@ -281,7 +287,7 @@ gdk_load_png (GBytes  *bytes,
       return NULL;
     }
 
-  for (int i = 0; i < height; i++)
+  for (i = 0; i < height; i++)
     row_pointers[i] = &buffer[i * stride];
 
   png_read_image (png, row_pointers);