diff options
Diffstat (limited to 'third_party/libopenjpeg20/0022-jp2_apply_pclr_overflow.patch')
-rw-r--r-- | third_party/libopenjpeg20/0022-jp2_apply_pclr_overflow.patch | 91 |
1 files changed, 45 insertions, 46 deletions
diff --git a/third_party/libopenjpeg20/0022-jp2_apply_pclr_overflow.patch b/third_party/libopenjpeg20/0022-jp2_apply_pclr_overflow.patch index 72105fec4f..f4f2ef5c01 100644 --- a/third_party/libopenjpeg20/0022-jp2_apply_pclr_overflow.patch +++ b/third_party/libopenjpeg20/0022-jp2_apply_pclr_overflow.patch @@ -1,53 +1,52 @@ diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c -index a6648f6..8128d98 100644 +index 1fa607d66..78a2d22ff 100644 --- a/third_party/libopenjpeg20/jp2.c +++ b/third_party/libopenjpeg20/jp2.c -@@ -972,6 +972,14 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) - nr_channels = color->jp2_pclr->nr_channels; +@@ -1049,6 +1049,14 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image, + } - old_comps = image->comps; -+ /* Overflow check: prevent integer overflow */ -+ for (i = 0; i < nr_channels; ++i) { -+ cmp = cmap[i].cmp; -+ if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) { -+ return; -+ } -+ } + old_comps = image->comps; ++ /* Overflow check: prevent integer overflow */ ++ for (i = 0; i < nr_channels; ++i) { ++ cmp = cmap[i].cmp; ++ if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) { ++ return OPJ_FALSE; ++ } ++ } + - new_comps = (opj_image_comp_t*) - opj_malloc(nr_channels * sizeof(opj_image_comp_t)); - if (!new_comps) { -@@ -1011,22 +1019,28 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) - /* Palette mapping: */ - cmp = cmap[i].cmp; pcol = cmap[i].pcol; - src = old_comps[cmp].data; -- assert( src ); -+ dst = new_comps[i].data; - max = new_comps[i].w * new_comps[i].h; + new_comps = (opj_image_comp_t*) + opj_malloc(nr_channels * sizeof(opj_image_comp_t)); + if (!new_comps) { +@@ -1093,21 +1101,27 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image, + cmp = cmap[i].cmp; + pcol = cmap[i].pcol; + src = old_comps[cmp].data; +- assert(src); /* verified above */ ++ dst = new_comps[i].data; + max = new_comps[i].w * new_comps[i].h; -+ /* Prevent null pointer access */ -+ if (!src || !dst) { -+ for (j = 0; j < nr_channels; ++j) { -+ opj_free(new_comps[j].data); -+ } -+ opj_free(new_comps); -+ new_comps = NULL; -+ return; -+ } ++ /* Prevent null pointer access */ ++ if (!src || !dst) { ++ for (j = 0; j < nr_channels; ++j) { ++ opj_free(new_comps[j].data); ++ } ++ opj_free(new_comps); ++ new_comps = NULL; ++ return OPJ_FALSE; ++ } + - /* Direct use: */ - if(cmap[i].mtyp == 0) { - assert( cmp == 0 ); // probably wrong. -- dst = new_comps[i].data; -- assert( dst ); - for(j = 0; j < max; ++j) { - dst[j] = src[j]; - } - } - else { - assert( i == pcol ); // probably wrong? -- dst = new_comps[i].data; -- assert( dst ); - for(j = 0; j < max; ++j) { - /* The index */ - if((k = src[j]) < 0) k = 0; else if(k > top_k) k = top_k; + /* Direct use: */ + if (cmap[i].mtyp == 0) { + assert( cmp == 0 ); // probably wrong. +- dst = new_comps[i].data; +- assert(dst); + for (j = 0; j < max; ++j) { + dst[j] = src[j]; + } + } else { + assert( i == pcol ); // probably wrong? +- dst = new_comps[i].data; +- assert(dst); + for (j = 0; j < max; ++j) { + /* The index */ + if ((k = src[j]) < 0) { |