|
 |
94b862 |
Backport of the upstream commit:
|
|
|
94b862 |
|
|
|
94b862 |
From 988f8365f7d8ad8073b6786e433d34c553ecf568 Mon Sep 17 00:00:00 2001
|
|
|
94b862 |
From: Michael Adams <mdadams@ece.uvic.ca>
|
|
|
94b862 |
Date: Sat, 22 Oct 2016 14:36:49 -0700
|
|
|
94b862 |
Subject: [PATCH] Fixed an integer overflow problem.
|
|
|
94b862 |
|
|
|
94b862 |
Further enhanced by an explicit check to ensure that size not only fits into
|
|
|
94b862 |
size_t, but that it also does not exceed INT_FAST32_MAX (the type of
|
|
|
94b862 |
matrix->datasize_). This is similar approach to what upstream used in
|
|
|
94b862 |
a712a2041085e7cd5f2b153e1532ac2a2954ffaa.
|
|
|
94b862 |
|
|
|
94b862 |
diff -pruN jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
|
|
|
94b862 |
--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c 2017-03-31 15:02:01.000000000 +0200
|
|
|
94b862 |
+++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2017-03-31 15:41:17.527623038 +0200
|
|
|
94b862 |
@@ -101,13 +101,16 @@ jas_matrix_t *jas_matrix_create(int numr
|
|
|
94b862 |
{
|
|
|
94b862 |
jas_matrix_t *matrix;
|
|
|
94b862 |
int i;
|
|
|
94b862 |
+ size_t size;
|
|
|
94b862 |
+
|
|
|
94b862 |
+ matrix = 0;
|
|
|
94b862 |
|
|
|
94b862 |
if (numrows < 0 || numcols < 0) {
|
|
|
94b862 |
- return 0;
|
|
|
94b862 |
+ goto error;
|
|
|
94b862 |
}
|
|
|
94b862 |
|
|
|
94b862 |
if (!(matrix = jas_malloc(sizeof(jas_matrix_t)))) {
|
|
|
94b862 |
- return 0;
|
|
|
94b862 |
+ goto error;
|
|
|
94b862 |
}
|
|
|
94b862 |
matrix->flags_ = 0;
|
|
|
94b862 |
matrix->numrows_ = numrows;
|
|
|
94b862 |
@@ -115,21 +118,25 @@ jas_matrix_t *jas_matrix_create(int numr
|
|
|
94b862 |
matrix->rows_ = 0;
|
|
|
94b862 |
matrix->maxrows_ = numrows;
|
|
|
94b862 |
matrix->data_ = 0;
|
|
|
94b862 |
- matrix->datasize_ = numrows * numcols;
|
|
|
94b862 |
+ matrix->datasize_ = 0;
|
|
|
94b862 |
+
|
|
|
94b862 |
+ // matrix->datasize_ = numrows * numcols;
|
|
|
94b862 |
+ if (!jas_safe_size_mul(numrows, numcols, &size) || size > INT_FAST32_MAX) {
|
|
|
94b862 |
+ goto error;
|
|
|
94b862 |
+ }
|
|
|
94b862 |
+ matrix->datasize_ = size;
|
|
|
94b862 |
|
|
|
94b862 |
if (matrix->maxrows_ > 0) {
|
|
|
94b862 |
if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
|
|
|
94b862 |
sizeof(jas_seqent_t *)))) {
|
|
|
94b862 |
- jas_matrix_destroy(matrix);
|
|
|
94b862 |
- return 0;
|
|
|
94b862 |
+ goto error;
|
|
|
94b862 |
}
|
|
|
94b862 |
}
|
|
|
94b862 |
|
|
|
94b862 |
if (matrix->datasize_ > 0) {
|
|
|
94b862 |
if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
|
|
|
94b862 |
sizeof(jas_seqent_t)))) {
|
|
|
94b862 |
- jas_matrix_destroy(matrix);
|
|
|
94b862 |
- return 0;
|
|
|
94b862 |
+ goto error;
|
|
|
94b862 |
}
|
|
|
94b862 |
}
|
|
|
94b862 |
|
|
|
94b862 |
@@ -147,6 +154,12 @@ jas_matrix_t *jas_matrix_create(int numr
|
|
|
94b862 |
matrix->yend_ = matrix->numrows_;
|
|
|
94b862 |
|
|
|
94b862 |
return matrix;
|
|
|
94b862 |
+
|
|
|
94b862 |
+error:
|
|
|
94b862 |
+ if (matrix) {
|
|
|
94b862 |
+ jas_matrix_destroy(matrix);
|
|
|
94b862 |
+ }
|
|
|
94b862 |
+ return 0;
|
|
|
94b862 |
}
|
|
|
94b862 |
|
|
|
94b862 |
void jas_matrix_destroy(jas_matrix_t *matrix)
|