Skip to content

Commit 882925b

Browse files
committed
- Modified TileManager.cc to verify that malloc() has correctly allocated memory.
- Updated numerical types to std::size_t in RawTile.h, TileManager.cc, KakaduImage.cc, OpenJPEG.cc and Transforms.cc when allocating memory via new to avoid integer overflow - fixes remaining problems identified in #223.
1 parent 4ed5926 commit 882925b

File tree

6 files changed

+33
-17
lines changed

6 files changed

+33
-17
lines changed

Diff for: ChangeLog

+7
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
16/01/2022:
2+
- Modified TileManager.cc to verify that malloc() has correctly allocated memory.
3+
- Updated numerical types to std::size_t in RawTile.h, TileManager.cc, KakaduImage.cc, OpenJPEG.cc and Transforms.cc
4+
when allocating memory via new to avoid integer overflow - fixes remaining problems identified in
5+
https://github.com/ruven/iipsrv/issues/223.
6+
7+
18
15/01/2022:
29
- Added verification that image has been set in SPECTRA.cc and check on the validity of the requested tile
310
resolution in JTL.cc. Fixes a couple of the crash conditions reported in https://github.com/ruven/iipsrv/issues/223

Diff for: src/KakaduImage.cc

+4-3
Original file line numberDiff line numberDiff line change
@@ -447,11 +447,12 @@ RawTile KakaduImage::getRegion( int seq, int ang, unsigned int res, int layers,
447447

448448
RawTile rawtile( 0, res, seq, ang, w, h, channels, obpc );
449449

450-
if( obpc == 16 ) rawtile.data = new unsigned short[w*h*channels];
451-
else if( obpc == 8 ) rawtile.data = new unsigned char[w*h*channels];
450+
size_t np = (size_t) w * (size_t) h * (size_t) channels;
451+
if( obpc == 16 ) rawtile.data = new unsigned short[np];
452+
else if( obpc == 8 ) rawtile.data = new unsigned char[np];
452453
else throw file_error( "Kakadu :: Unsupported number of bits" );
453454

454-
rawtile.dataLength = w*h*channels*(obpc/8);
455+
rawtile.dataLength = np*(obpc/8);
455456
rawtile.filename = getImagePath();
456457
rawtile.timestamp = timestamp;
457458

Diff for: src/OpenJPEGImage.cc

+4-3
Original file line numberDiff line numberDiff line change
@@ -376,11 +376,12 @@ RawTile OpenJPEGImage::getRegion( int ha, int va, unsigned int res, int layers,
376376

377377
RawTile rawtile( 0, res, ha, va, w, h, channels, obpc );
378378

379-
if( obpc == 16 ) rawtile.data = new unsigned short[w * h * channels];
380-
else if( obpc == 8 ) rawtile.data = new unsigned char[w * h * channels];
379+
size_t np = (size_t) w * (size_t) h * (size_t) channels;
380+
if( obpc == 16 ) rawtile.data = new unsigned short[np];
381+
else if( obpc == 8 ) rawtile.data = new unsigned char[np];
381382
else throw file_error( "OpenJPEG :: Unsupported number of bits" );
382383

383-
rawtile.dataLength = w*h*channels*(obpc/8);
384+
rawtile.dataLength = np*(obpc/8);
384385
rawtile.filename = getImagePath();
385386
rawtile.timestamp = timestamp;
386387

Diff for: src/RawTile.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ class RawTile{
7979
int memoryManaged;
8080

8181
/// The size of the data pointed to by data
82-
unsigned int dataLength;
82+
size_t dataLength;
8383

8484
/// The width in pixels of this tile
8585
unsigned int width;

Diff for: src/TileManager.cc

+15-8
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
/* IIP Server: Tile Cache Handler
66
7-
Copyright (C) 2005-2021 Ruven Pillay.
7+
Copyright (C) 2005-2022 Ruven Pillay.
88
99
This program is free software; you can redistribute it and/or modify
1010
it under the terms of the GNU General Public License as published by
@@ -130,8 +130,14 @@ void TileManager::crop( RawTile *ttt ){
130130

131131
// Create a new buffer, fill it with the old data, then copy
132132
// back the cropped part into the RawTile buffer
133-
int len = tw * th * ttt->channels * (ttt->bpc/8);
133+
unsigned int len = tw * th * ttt->channels * (ttt->bpc/8);
134134
unsigned char* buffer = (unsigned char*) malloc( len );
135+
136+
// Check whether we have successfully allocated memory via malloc
137+
if( buffer == NULL ){
138+
std::bad_alloc e;
139+
throw e;
140+
}
135141
unsigned char* src_ptr = (unsigned char*) memcpy( buffer, ttt->data, len );
136142
unsigned char* dst_ptr = (unsigned char*) ttt->data;
137143

@@ -365,21 +371,22 @@ RawTile TileManager::getRegion( unsigned int res, int seq, int ang, int layers,
365371

366372
// Create an empty tile with the correct dimensions
367373
RawTile region( 0, res, seq, ang, width, height, channels, bpc );
368-
region.dataLength = width * height * channels * (bpc/8);
374+
size_t np = (size_t) width * (size_t) height * (size_t) channels;
375+
region.dataLength = np * (bpc/8);
369376
region.sampleType = sampleType;
370377

371378
// Allocate memory for the region
372-
if( bpc == 8 ) region.data = new unsigned char[width*height*channels];
373-
else if( bpc == 16 ) region.data = new unsigned short[width*height*channels];
374-
else if( bpc == 32 && sampleType == FIXEDPOINT ) region.data = new int[width*height*channels];
375-
else if( bpc == 32 && sampleType == FLOATINGPOINT ) region.data = new float[width*height*channels];
379+
if( bpc == 8 ) region.data = new unsigned char[np];
380+
else if( bpc == 16 ) region.data = new unsigned short[np];
381+
else if( bpc == 32 && sampleType == FIXEDPOINT ) region.data = new int[np];
382+
else if( bpc == 32 && sampleType == FLOATINGPOINT ) region.data = new float[np];
376383

377384
unsigned int current_height = 0;
378385

379386
// Decode the image strip by strip
380387
for( unsigned int i=starty; i<endy; i++ ){
381388

382-
unsigned int buffer_index = 0;
389+
unsigned long buffer_index = 0;
383390

384391
// Keep track of the current pixel boundary horizontally. ie. only up
385392
// to the beginning of the current tile boundary.

Diff for: src/Transforms.cc

+2-2
Original file line numberDiff line numberDiff line change
@@ -532,7 +532,7 @@ void Transform::interpolate_nearestneighbour( RawTile& in, unsigned int resample
532532
// Correctly set our Rawtile info
533533
in.width = resampled_width;
534534
in.height = resampled_height;
535-
in.dataLength = resampled_width * resampled_height * channels * (in.bpc/8);
535+
in.dataLength = (size_t)resampled_width * (size_t)resampled_height * (size_t)channels * (size_t)(in.bpc/8);
536536
in.data = output;
537537
}
538538

@@ -618,7 +618,7 @@ void Transform::interpolate_bilinear( RawTile& in, unsigned int resampled_width,
618618
// Correctly set our Rawtile info
619619
in.width = resampled_width;
620620
in.height = resampled_height;
621-
in.dataLength = resampled_width * resampled_height * channels * (in.bpc/8);
621+
in.dataLength = (size_t)resampled_width * (size_t)resampled_height * (size_t)channels * (size_t)(in.bpc/8);
622622
in.data = output;
623623
}
624624

0 commit comments

Comments
 (0)