Skip to content
Permalink
Browse files

Fixed a problem with a null pointer dereference in the BMP decoder.

  • Loading branch information...
mdadams committed Oct 20, 2016
1 parent cfa945c commit 5d66894d2313e3f3469f19066e149e08ff076698
Showing with 49 additions and 17 deletions.
  1. +4 −0 src/libjasper/base/jas_seq.c
  2. +45 −17 src/libjasper/bmp/bmp_dec.c
@@ -102,6 +102,10 @@ jas_matrix_t *jas_matrix_create(int numrows, int numcols)
jas_matrix_t *matrix;
int i;

if (numrows < 0 || numcols < 0) {
return 0;
}

if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
return 0;
}
@@ -107,6 +107,9 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
uint_fast16_t numcmpts;
long n;

image = 0;
info = 0;

if (optstr) {
jas_eprintf("warning: ignoring BMP decoder options\n");
}
@@ -121,7 +124,8 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
/* Read the bitmap header. */
if (bmp_gethdr(in, &hdr)) {
jas_eprintf("cannot get header\n");
return 0;
goto error;
//return 0;
}
JAS_DBGLOG(1, (
"BMP header: magic 0x%x; siz %d; res1 %d; res2 %d; off %d\n",
@@ -131,33 +135,46 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
/* Read the bitmap information. */
if (!(info = bmp_getinfo(in))) {
jas_eprintf("cannot get info\n");
return 0;
//return 0;
goto error;
}
JAS_DBGLOG(1,
("BMP information: len %d; width %d; height %d; numplanes %d; "
"depth %d; enctype %d; siz %d; hres %d; vres %d; numcolors %d; "
"mincolors %d\n", info->len, info->width, info->height, info->numplanes,
info->depth, info->enctype, info->siz, info->hres, info->vres,
info->numcolors, info->mincolors));
("BMP information: len %ld; width %ld; height %ld; numplanes %d; "
"depth %d; enctype %ld; siz %ld; hres %ld; vres %ld; numcolors %ld; "
"mincolors %ld\n", JAS_CAST(long, info->len),
JAS_CAST(long, info->width), JAS_CAST(long, info->height),
JAS_CAST(long, info->numplanes), JAS_CAST(long, info->depth),
JAS_CAST(long, info->enctype), JAS_CAST(long, info->siz),
JAS_CAST(long, info->hres), JAS_CAST(long, info->vres),
JAS_CAST(long, info->numcolors), JAS_CAST(long, info->mincolors)));

if (info->width < 0 || info->height < 0 || info->numplanes < 0 ||
info->depth < 0 || info->siz < 0 || info->hres < 0 || info->vres < 0) {
jas_eprintf("corrupt bit stream\n");
goto error;
}

/* Ensure that we support this type of BMP file. */
if (!bmp_issupported(&hdr, info)) {
jas_eprintf("error: unsupported BMP encoding\n");
bmp_info_destroy(info);
return 0;
//bmp_info_destroy(info);
//return 0;
goto error;
}

/* Skip over any useless data between the end of the palette
and start of the bitmap data. */
if ((n = hdr.off - (BMP_HDRLEN + BMP_INFOLEN + BMP_PALLEN(info))) < 0) {
jas_eprintf("error: possibly bad bitmap offset?\n");
return 0;
goto error;
//return 0;
}
if (n > 0) {
jas_eprintf("skipping unknown data in BMP file\n");
if (bmp_gobble(in, n)) {
bmp_info_destroy(info);
return 0;
//bmp_info_destroy(info);
//return 0;
goto error;
}
}

@@ -179,8 +196,9 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)
/* Create image object. */
if (!(image = jas_image_create(numcmpts, cmptparms,
JAS_CLRSPC_UNKNOWN))) {
bmp_info_destroy(info);
return 0;
//bmp_info_destroy(info);
//return 0;
goto error;
}

if (numcmpts == 3) {
@@ -199,14 +217,24 @@ jas_image_t *bmp_decode(jas_stream_t *in, char *optstr)

/* Read the bitmap data. */
if (bmp_getdata(in, info, image)) {
bmp_info_destroy(info);
jas_image_destroy(image);
return 0;
//bmp_info_destroy(info);
//jas_image_destroy(image);
//return 0;
goto error;
}

bmp_info_destroy(info);

return image;

error:
if (info) {
bmp_info_destroy(info);
}
if (image) {
jas_image_destroy(image);
}
return 0;
}

int bmp_validate(jas_stream_t *in)

0 comments on commit 5d66894

Please sign in to comment.
You can’t perform that action at this time.