blob: 5ae0149538c276fc2b3f0bcdf31ca7675e399332 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index e612d06..d515798 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -8148,11 +8148,16 @@ static OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data,
/* Allocate output component buffer if necessary */
if (!l_img_comp_dest->data) {
-
- l_img_comp_dest->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)l_img_comp_dest->w * (OPJ_SIZE_T)l_img_comp_dest->h, sizeof(OPJ_INT32));
- if (! l_img_comp_dest->data) {
- return OPJ_FALSE;
- }
+ OPJ_UINT32 width = l_img_comp_dest->w;
+ OPJ_UINT32 height = l_img_comp_dest->h;
+ const OPJ_UINT32 MAX_SIZE = UINT32_MAX / sizeof(OPJ_INT32);
+ if (height == 0 || width > MAX_SIZE / height) {
+ return OPJ_FALSE;
+ }
+ l_img_comp_dest->data = (OPJ_INT32*)opj_calloc(width * height, sizeof(OPJ_INT32));
+ if (!l_img_comp_dest->data) {
+ return OPJ_FALSE;
+ }
}
/* Copy info from decoded comp image to output image */
|