From 1bed3dbcea6473f84745ec7a1f936c4f5d3b3a01 Mon Sep 17 00:00:00 2001
From: Danny Baumann <dannybaumann@web.de>
Date: Sat, 03 Apr 2010 12:14:19 +0000
Subject: Correctly handle weird icon sizes.

iw * ih may overflow the value range of unsigned long if iw and ih are
large enough, so check the single values as well.
---
diff --git a/src/window.c b/src/window.c
index 24300fe..bd5aae8 100644
--- a/src/window.c
+++ b/src/window.c
@@ -5361,18 +5361,22 @@ getWindowIcon (CompWindow *w,
 
 	if (result == Success && data)
 	{
-	    CARD32   *p;
-	    CARD32   alpha, red, green, blue;
-	    int      iw, ih, j;
+	    CARD32        *p;
+	    CARD32        alpha, red, green, blue;
+	    unsigned long iw, ih;
 
 	    for (i = 0; i + 2 < n; i += iw * ih + 2)
 	    {
 		unsigned long *idata = (unsigned long *) data;
+		unsigned long j;
 
 		iw  = idata[i];
 		ih = idata[i + 1];
 
-		if (iw * ih + 2 > n - i)
+		/* iw * ih may be larger than the value range of unsigned
+		   long, so better do some checking for extremely weird
+		   icon sizes first */
+		if (iw > 2048 || ih > 2048 || iw * ih + 2 > n - i)
 		    break;
 
 		if (iw && ih)
--
cgit v0.8.3.1-30-gff3a