Skip to content

Commit 988f836

Browse files
committed
Fixed an integer overflow problem.
1 parent c5e348f commit 988f836

File tree

2 files changed

+22
-9
lines changed

2 files changed

+22
-9
lines changed

Diff for: src/libjasper/base/jas_malloc.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -238,7 +238,7 @@ void jas_free(void *ptr)
238238
void *jas_malloc(size_t size)
239239
{
240240
void *result;
241-
JAS_DBGLOG(101, ("jas_malloc called with %zu\n", size));
241+
JAS_DBGLOG(101, ("jas_malloc(%zu)\n", size));
242242
result = malloc(size);
243243
JAS_DBGLOG(100, ("jas_malloc(%zu) -> %p\n", size, result));
244244
return result;
@@ -247,7 +247,7 @@ void *jas_malloc(size_t size)
247247
void *jas_realloc(void *ptr, size_t size)
248248
{
249249
void *result;
250-
JAS_DBGLOG(101, ("jas_realloc called with %x,%zu\n", ptr, size));
250+
JAS_DBGLOG(101, ("jas_realloc(%x, %zu)\n", ptr, size));
251251
result = realloc(ptr, size);
252252
JAS_DBGLOG(100, ("jas_realloc(%p, %zu) -> %p\n", ptr, size, result));
253253
return result;

Diff for: src/libjasper/base/jas_seq.c

+20-7
Original file line numberDiff line numberDiff line change
@@ -101,35 +101,42 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols)
101101
{
102102
jas_matrix_t *matrix;
103103
int i;
104+
size_t size;
105+
106+
matrix = 0;
104107

105108
if (numrows < 0 || numcols < 0) {
106-
return 0;
109+
goto error;
107110
}
108111

109112
if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
110-
return 0;
113+
goto error;
111114
}
112115
matrix->flags_ = 0;
113116
matrix->numrows_ = numrows;
114117
matrix->numcols_ = numcols;
115118
matrix->rows_ = 0;
116119
matrix->maxrows_ = numrows;
117120
matrix->data_ = 0;
118-
matrix->datasize_ = numrows * numcols;
121+
matrix->datasize_ = 0;
122+
123+
// matrix->datasize_ = numrows * numcols;
124+
if (!jas_safe_size_mul(numrows, numcols, &size)) {
125+
goto error;
126+
}
127+
matrix->datasize_ = size;
119128

120129
if (matrix->maxrows_ > 0) {
121130
if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
122131
sizeof(jas_seqent_t *)))) {
123-
jas_matrix_destroy(matrix);
124-
return 0;
132+
goto error;
125133
}
126134
}
127135

128136
if (matrix->datasize_ > 0) {
129137
if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
130138
sizeof(jas_seqent_t)))) {
131-
jas_matrix_destroy(matrix);
132-
return 0;
139+
goto error;
133140
}
134141
}
135142

@@ -147,6 +154,12 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols)
147154
matrix->yend_ = matrix->numrows_;
148155

149156
return matrix;
157+
158+
error:
159+
if (matrix) {
160+
jas_matrix_destroy(matrix);
161+
}
162+
return 0;
150163
}
151164

152165
void jas_matrix_destroy(jas_matrix_t *matrix)

0 commit comments

Comments
 (0)