diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c index b03fa6d1..04adbba9 100644 --- a/src/libjasper/base/jas_image.c +++ b/src/libjasper/base/jas_image.c @@ -303,15 +303,16 @@ void jas_image_destroy(jas_image_t *image) jas_free(image); } -static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, uint_fast32_t tly, - uint_fast32_t hstep, uint_fast32_t vstep, uint_fast32_t width, uint_fast32_t - height, uint_fast16_t depth, bool sgnd, uint_fast32_t inmem) +static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, + uint_fast32_t tly, uint_fast32_t hstep, uint_fast32_t vstep, + uint_fast32_t width, uint_fast32_t height, uint_fast16_t depth, bool sgnd, + uint_fast32_t inmem) { jas_image_cmpt_t *cmpt; - long size; + size_t size; if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) { - return 0; + goto error; } cmpt->type_ = JAS_IMAGE_CT_UNKNOWN; @@ -326,23 +327,33 @@ static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, uint_fast32_t cmpt->stream_ = 0; cmpt->cps_ = (depth + 7) / 8; - size = cmpt->width_ * cmpt->height_ * cmpt->cps_; - cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : jas_stream_tmpfile(); + // size = cmpt->width_ * cmpt->height_ * cmpt->cps_; + if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) || + !jas_safe_size_mul(size, cmpt->cps_, &size)) { + goto error; + } + cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : + jas_stream_tmpfile(); if (!cmpt->stream_) { - jas_image_cmpt_destroy(cmpt); - return 0; + goto error; } /* Zero the component data. This isn't necessary, but it is convenient for debugging purposes. */ + /* Note: conversion of size - 1 to long can overflow */ if (jas_stream_seek(cmpt->stream_, size - 1, SEEK_SET) < 0 || jas_stream_putc(cmpt->stream_, 0) == EOF || jas_stream_seek(cmpt->stream_, 0, SEEK_SET) < 0) { - jas_image_cmpt_destroy(cmpt); - return 0; + goto error; } return cmpt; + +error: + if (cmpt) { + jas_image_cmpt_destroy(cmpt); + } + return 0; } static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)