Malloc check, #1715

python-pillow · Apr 1, 2016 · 0564fb8 · 0564fb8
1 parent 736b1e4
commit 0564fb8
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/libImaging/Storage.c b/libImaging/Storage.c
@@ -300,6 +300,7 @@ ImagingNewArray(const char *mode, int xsize, int ysize)
 
     /* Allocate image as an array of lines */
     for (y = 0; y < im->ysize; y++) {
+        /* malloc check UNDONE - where is linesize set? */
         p = (char *) malloc(im->linesize);
         if (!p) {
             ImagingDestroyArray(im);
@@ -339,18 +340,23 @@ ImagingNewBlock(const char *mode, int xsize, int ysize)
     if (!im)
         return NULL;
 
-    /* Use a single block */
-    bytes = (Py_ssize_t) im->ysize * im->linesize;
+
+    if (im->linesize &&
+        im->ysize > SIZE_MAX / im->linesize) {
+        /* punt if we're going to overflow */
+        return NULL;
+    }
+    /* Use a single block */        
+    bytes = ((Py_ssize_t) im->ysize) * im->linesize;
     if (bytes <= 0)
         /* some platforms return NULL for malloc(0); this fix
            prevents MemoryError on zero-sized images on such
            platforms */
         bytes = 1;
-    im->block = (char *) malloc(bytes);
+    /* malloc check ok, overflow check above */
+    im->block = (char *) calloc(bytes, 1);
 
     if (im->block) {
-        memset(im->block, 0, bytes);
-
         for (y = i = 0; y < im->ysize; y++) {
             im->image[y] = im->block + i;
             i += im->linesize;
@@ -386,7 +392,7 @@ ImagingNew(const char* mode, int xsize, int ysize)
     } else
         bytes = strlen(mode); /* close enough */
 
-    if ((int64_t) xsize * (int64_t) ysize * bytes <= THRESHOLD) {
+    if ((int64_t) xsize * (int64_t) ysize <= THRESHOLD / bytes) {
         im = ImagingNewBlock(mode, xsize, ysize);
         if (im)
             return im;