Skip to content

Commit 5d66894

Browse files
committed
Fixed a problem with a null pointer dereference in the BMP decoder.
1 parent cfa945c commit 5d66894

File tree

2 files changed

+49
-17
lines changed

2 files changed

+49
-17
lines changed

Diff for: src/libjasper/base/jas_seq.c

+4
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,10 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols)
102102
jas_matrix_t *matrix;
103103
int i;
104104

105+
if (numrows < 0 || numcols < 0) {
106+
return 0;
107+
}
108+
105109
if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
106110
return 0;
107111
}

Diff for: src/libjasper/bmp/bmp_dec.c

+45-17
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,9 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
107107
uint_fast16_t numcmpts;
108108
long n;
109109

110+
image = 0;
111+
info = 0;
112+
110113
if (optstr) {
111114
jas_eprintf("warning: ignoring BMP decoder options\n");
112115
}
@@ -121,7 +124,8 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
121124
/* Read the bitmap header. */
122125
if (bmp_gethdr(in, &hdr)) {
123126
jas_eprintf("cannot get header\n");
124-
return 0;
127+
goto error;
128+
//return 0;
125129
}
126130
JAS_DBGLOG(1, (
127131
"BMP header: magic 0x%x; siz %d; res1 %d; res2 %d; off %d\n",
@@ -131,33 +135,46 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
131135
/* Read the bitmap information. */
132136
if (!(info = bmp_getinfo(in))) {
133137
jas_eprintf("cannot get info\n");
134-
return 0;
138+
//return 0;
139+
goto error;
135140
}
136141
JAS_DBGLOG(1,
137-
("BMP information: len %d; width %d; height %d; numplanes %d; "
138-
"depth %d; enctype %d; siz %d; hres %d; vres %d; numcolors %d; "
139-
"mincolors %d\n", info->len, info->width, info->height, info->numplanes,
140-
info->depth, info->enctype, info->siz, info->hres, info->vres,
141-
info->numcolors, info->mincolors));
142+
("BMP information: len %ld; width %ld; height %ld; numplanes %d; "
143+
"depth %d; enctype %ld; siz %ld; hres %ld; vres %ld; numcolors %ld; "
144+
"mincolors %ld\n", JAS_CAST(long, info->len),
145+
JAS_CAST(long, info->width), JAS_CAST(long, info->height),
146+
JAS_CAST(long, info->numplanes), JAS_CAST(long, info->depth),
147+
JAS_CAST(long, info->enctype), JAS_CAST(long, info->siz),
148+
JAS_CAST(long, info->hres), JAS_CAST(long, info->vres),
149+
JAS_CAST(long, info->numcolors), JAS_CAST(long, info->mincolors)));
150+
151+
if (info->width < 0 || info->height < 0 || info->numplanes < 0 ||
152+
info->depth < 0 || info->siz < 0 || info->hres < 0 || info->vres < 0) {
153+
jas_eprintf("corrupt bit stream\n");
154+
goto error;
155+
}
142156

143157
/* Ensure that we support this type of BMP file. */
144158
if (!bmp_issupported(&hdr, info)) {
145159
jas_eprintf("error: unsupported BMP encoding\n");
146-
bmp_info_destroy(info);
147-
return 0;
160+
//bmp_info_destroy(info);
161+
//return 0;
162+
goto error;
148163
}
149164

150165
/* Skip over any useless data between the end of the palette
151166
and start of the bitmap data. */
152167
if ((n = hdr.off - (BMP_HDRLEN + BMP_INFOLEN + BMP_PALLEN(info))) < 0) {
153168
jas_eprintf("error: possibly bad bitmap offset?\n");
154-
return 0;
169+
goto error;
170+
//return 0;
155171
}
156172
if (n > 0) {
157173
jas_eprintf("skipping unknown data in BMP file\n");
158174
if (bmp_gobble(in, n)) {
159-
bmp_info_destroy(info);
160-
return 0;
175+
//bmp_info_destroy(info);
176+
//return 0;
177+
goto error;
161178
}
162179
}
163180

@@ -179,8 +196,9 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
179196
/* Create image object. */
180197
if (!(image = jas_image_create(numcmpts, cmptparms,
181198
JAS_CLRSPC_UNKNOWN))) {
182-
bmp_info_destroy(info);
183-
return 0;
199+
//bmp_info_destroy(info);
200+
//return 0;
201+
goto error;
184202
}
185203

186204
if (numcmpts == 3) {
@@ -199,14 +217,24 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
199217

200218
/* Read the bitmap data. */
201219
if (bmp_getdata(in, info, image)) {
202-
bmp_info_destroy(info);
203-
jas_image_destroy(image);
204-
return 0;
220+
//bmp_info_destroy(info);
221+
//jas_image_destroy(image);
222+
//return 0;
223+
goto error;
205224
}
206225

207226
bmp_info_destroy(info);
208227

209228
return image;
229+
230+
error:
231+
if (info) {
232+
bmp_info_destroy(info);
233+
}
234+
if (image) {
235+
jas_image_destroy(image);
236+
}
237+
return 0;
210238
}
211239

212240
int bmp_validate(jas_stream_t *in)

0 commit comments

Comments
 (0)