diff options
| -rw-r--r-- | Userland/Libraries/LibGUI/Window.cpp | 5 | ||||
| -rw-r--r-- | Userland/Libraries/LibGfx/Bitmap.cpp | 2 | ||||
| -rw-r--r-- | Userland/Services/WindowServer/ClientConnection.cpp | 4 |
3 files changed, 9 insertions, 2 deletions
diff --git a/Userland/Libraries/LibGUI/Window.cpp b/Userland/Libraries/LibGUI/Window.cpp index 648371985d..07a3de700e 100644 --- a/Userland/Libraries/LibGUI/Window.cpp +++ b/Userland/Libraries/LibGUI/Window.cpp @@ -788,8 +788,11 @@ OwnPtr<WindowBackingStore> Window::create_backing_store(const Gfx::IntSize& size // FIXME: Plumb scale factor here eventually. auto bitmap = Gfx::Bitmap::create_with_anonymous_buffer(format, buffer, size, 1, {}); - if (!bitmap) + if (!bitmap) { + VERIFY(size.width() <= INT16_MAX); + VERIFY(size.height() <= INT16_MAX); return {}; + } return make<WindowBackingStore>(bitmap.release_nonnull()); } diff --git a/Userland/Libraries/LibGfx/Bitmap.cpp b/Userland/Libraries/LibGfx/Bitmap.cpp index 35011614a2..67d1ed8704 100644 --- a/Userland/Libraries/LibGfx/Bitmap.cpp +++ b/Userland/Libraries/LibGfx/Bitmap.cpp @@ -58,7 +58,7 @@ static bool size_would_overflow(BitmapFormat format, const IntSize& size, int sc if (size.width() < 0 || size.height() < 0) return true; // This check is a bit arbitrary, but should protect us from most shenanigans: - if (size.width() >= 32768 || size.height() >= 32768 || scale_factor < 1 || scale_factor > 4) + if (size.width() >= INT16_MAX || size.height() >= INT16_MAX || scale_factor < 1 || scale_factor > 4) return true; // In contrast, this check is absolutely necessary: size_t pitch = Bitmap::minimum_pitch(size.width() * scale_factor, format); diff --git a/Userland/Services/WindowServer/ClientConnection.cpp b/Userland/Services/WindowServer/ClientConnection.cpp index f9bb148463..a630230906 100644 --- a/Userland/Services/WindowServer/ClientConnection.cpp +++ b/Userland/Services/WindowServer/ClientConnection.cpp @@ -363,6 +363,10 @@ Messages::WindowServer::SetWindowRectResponse ClientConnection::set_window_rect( dbgln("ClientConnection: Ignoring SetWindowRect request for fullscreen window"); return nullptr; } + if (rect.width() > INT16_MAX || rect.height() > INT16_MAX) { + did_misbehave(String::formatted("SetWindowRect: Bad window sizing(width={}, height={}), dimension exceeds INT16_MAX", rect.width(), rect.height()).characters()); + return nullptr; + } if (rect.location() != window.rect().location()) { window.set_default_positioned(false); |