Fixed potential integer overflow problem.

src/libjasper/base/jas_image.c

@@ -303,15 +303,16 @@ void jas_image_destroy(jas_image_t *image)
 	jas_free(image);
 }
 
-static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, uint_fast32_t tly,
-  uint_fast32_t hstep, uint_fast32_t vstep, uint_fast32_t width, uint_fast32_t
-  height, uint_fast16_t depth, bool sgnd, uint_fast32_t inmem)
+static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx,
+  uint_fast32_t tly, uint_fast32_t hstep, uint_fast32_t vstep,
+  uint_fast32_t width, uint_fast32_t height, uint_fast16_t depth, bool sgnd,
+  uint_fast32_t inmem)
 {
 	jas_image_cmpt_t *cmpt;
-	long size;
+	size_t size;
 
 	if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) {
-		return 0;
+		goto error;
 	}
 
 	cmpt->type_ = JAS_IMAGE_CT_UNKNOWN;
@@ -326,23 +327,33 @@ static jas_image_cmpt_t *jas_image_cmpt_create(uint_fast32_t tlx, uint_fast32_t
 	cmpt->stream_ = 0;
 	cmpt->cps_ = (depth + 7) / 8;
 
-	size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
-	cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : jas_stream_tmpfile();
+	// size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
+	if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) ||
+	  !jas_safe_size_mul(size, cmpt->cps_, &size)) {
+		goto error;
+	}
+	cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) :
+	  jas_stream_tmpfile();
 	if (!cmpt->stream_) {
-		jas_image_cmpt_destroy(cmpt);
-		return 0;
+		goto error;
 	}
 
 	/* Zero the component data.  This isn't necessary, but it is
 	convenient for debugging purposes. */
+	/* Note: conversion of size - 1 to long can overflow */
 	if (jas_stream_seek(cmpt->stream_, size - 1, SEEK_SET) < 0 ||
 	  jas_stream_putc(cmpt->stream_, 0) == EOF ||
 	  jas_stream_seek(cmpt->stream_, 0, SEEK_SET) < 0) {
-		jas_image_cmpt_destroy(cmpt);
-		return 0;
+		goto error;
 	}
 
 	return cmpt;
+
+error:
+	if (cmpt) {
+		jas_image_cmpt_destroy(cmpt);
+	}
+	return 0;
 }
 
 static void jas_image_cmpt_destroy(jas_image_cmpt_t *cmpt)