Permalink
Browse files

Fixed potential integer overflow problem.

  • Loading branch information...
mdadams committed Oct 19, 2016
1 parent f596a07 commit b35a05635e56f554870ce85f64293a3868793f69
Showing with 22 additions and 11 deletions.
  1. +22 −11 src/libjasper/base/jas_image.c
@@ -303,15 +303,16 @@ void jas_image_destroy(jas_image_t *image)
jas_free(image);
}
static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, uint_fast32_t tly,
uint_fast32_t hstep, uint_fast32_t vstep, uint_fast32_t width, uint_fast32_t
height, uint_fast16_t depth, bool sgnd, uint_fast32_t inmem)
static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx,
uint_fast32_t tly, uint_fast32_t hstep, uint_fast32_t vstep,
uint_fast32_t width, uint_fast32_t height, uint_fast16_t depth, bool sgnd,
uint_fast32_t inmem)
{
jas_image_cmpt_t *cmpt;
long size;
size_t size;
if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) {
return 0;
goto error;
}
cmpt->type_ = JAS_IMAGE_CT_UNKNOWN;
@@ -326,23 +327,33 @@ static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, uint_fast32_t
cmpt->stream_ = 0;
cmpt->cps_ = (depth + 7) / 8;
size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : jas_stream_tmpfile();
// size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) ||
!jas_safe_size_mul(size, cmpt->cps_, &size)) {
goto error;
}
cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) :
jas_stream_tmpfile();
if (!cmpt->stream_) {
jas_image_cmpt_destroy(cmpt);
return 0;
goto error;
}
/* Zero the component data. This isn't necessary, but it is
convenient for debugging purposes. */
/* Note: conversion of size - 1 to long can overflow */
if (jas_stream_seek(cmpt->stream_, size - 1, SEEK_SET) < 0 ||
jas_stream_putc(cmpt->stream_, 0) == EOF ||
jas_stream_seek(cmpt->stream_, 0, SEEK_SET) < 0) {
jas_image_cmpt_destroy(cmpt);
return 0;
goto error;
}
return cmpt;
error:
if (cmpt) {
jas_image_cmpt_destroy(cmpt);
}
return 0;
}
static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)

0 comments on commit b35a056

Please sign in to comment.