|
 |
425a81 |
Backport of the upstream commits:
|
|
|
425a81 |
|
|
|
425a81 |
From d91198abd00fc435a397fe6bad906a4c1748e9cf Mon Sep 17 00:00:00 2001
|
|
|
425a81 |
From: Michael Adams <mdadams@ece.uvic.ca>
|
|
|
425a81 |
Date: Sun, 23 Oct 2016 03:34:35 -0700
|
|
|
425a81 |
Subject: [PATCH] Fixed another integer overflow problem.
|
|
|
425a81 |
|
|
|
425a81 |
From a712a2041085e7cd5f2b153e1532ac2a2954ffaa Mon Sep 17 00:00:00 2001
|
|
|
425a81 |
From: Michael Adams <mdadams@ece.uvic.ca>
|
|
|
425a81 |
Date: Thu, 2 Mar 2017 09:28:42 -0800
|
|
|
425a81 |
Subject: [PATCH] Added some additional checking to prevent a potential integer
|
|
|
425a81 |
overflow due to conversion in the JPC decoder.
|
|
|
425a81 |
|
|
|
425a81 |
diff -pruN jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c
|
|
|
425a81 |
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:12:06.000000000 +0200
|
|
|
425a81 |
+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2017-03-31 22:14:46.112781219 +0200
|
|
|
425a81 |
@@ -1174,6 +1174,7 @@ static int jpc_dec_process_siz(jpc_dec_t
|
|
|
425a81 |
int htileno;
|
|
|
425a81 |
int vtileno;
|
|
|
425a81 |
jpc_dec_cmpt_t *cmpt;
|
|
|
425a81 |
+ size_t size;
|
|
|
425a81 |
|
|
|
425a81 |
dec->xstart = siz->xoff;
|
|
|
425a81 |
dec->ystart = siz->yoff;
|
|
|
425a81 |
@@ -1210,7 +1211,11 @@ static int jpc_dec_process_siz(jpc_dec_t
|
|
|
425a81 |
|
|
|
425a81 |
dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
|
|
|
425a81 |
dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
|
|
|
425a81 |
- dec->numtiles = dec->numhtiles * dec->numvtiles;
|
|
|
425a81 |
+ if (!jas_safe_size_mul(dec->numhtiles, dec->numvtiles, &size) ||
|
|
|
425a81 |
+ size > INT_MAX) {
|
|
|
425a81 |
+ return -1;
|
|
|
425a81 |
+ }
|
|
|
425a81 |
+ dec->numtiles = size;
|
|
|
425a81 |
if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
|
|
|
425a81 |
return -1;
|
|
|
425a81 |
}
|