From 1f0dfe5a42911b6880a1445f13f6d615ddb55387 Mon Sep 17 00:00:00 2001 From: Michael Adams Date: Fri, 4 Nov 2016 07:20:23 -0700 Subject: [PATCH] Fixed an integer overflow problem in the JPC codec that later resulted in the use of uninitialized data. --- src/libjasper/jpc/jpc_t2cod.c | 20 ++++++++++---------- src/libjasper/jpc/jpc_t2cod.h | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/libjasper/jpc/jpc_t2cod.c b/src/libjasper/jpc/jpc_t2cod.c index 08315dd..174442a 100644 --- a/src/libjasper/jpc/jpc_t2cod.c +++ b/src/libjasper/jpc/jpc_t2cod.c @@ -432,18 +432,18 @@ static int jpc_pi_nextcprl(register jpc_pi_t *pi) &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, ++pi->picomp) { pirlvl = pi->picomp->pirlvls; - pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn + - pi->picomp->numrlvls - 1)); - pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn + - pi->picomp->numrlvls - 1)); + pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1)); + pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1)); for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1]; rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) { - pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 << - (pirlvl->prcwidthexpn + pi->picomp->numrlvls - - rlvlno - 1))); - pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 << - (pirlvl->prcheightexpn + pi->picomp->numrlvls - - rlvlno - 1))); + pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * + (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn + + pi->picomp->numrlvls - rlvlno - 1))); + pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * + (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn + + pi->picomp->numrlvls - rlvlno - 1))); } for (pi->y = pi->ystart; pi->y < pi->yend; pi->y += pi->ystep - (pi->y % pi->ystep)) { diff --git a/src/libjasper/jpc/jpc_t2cod.h b/src/libjasper/jpc/jpc_t2cod.h index 0a176c9..690e031 100644 --- a/src/libjasper/jpc/jpc_t2cod.h +++ b/src/libjasper/jpc/jpc_t2cod.h @@ -129,10 +129,10 @@ typedef struct { jpc_pirlvl_t *pirlvls; /* The horizontal sampling period. */ - int hsamp; + uint_fast32_t hsamp; /* The vertical sampling period. */ - int vsamp; + uint_fast32_t vsamp; } jpc_picomp_t; @@ -171,32 +171,32 @@ typedef struct { int lyrno; /* The x-coordinate of the current position. */ - int x; + uint_fast32_t x; /* The y-coordinate of the current position. */ - int y; + uint_fast32_t y; /* The horizontal step size. */ - int xstep; + uint_fast32_t xstep; /* The vertical step size. */ - int ystep; + uint_fast32_t ystep; /* The x-coordinate of the top-left corner of the tile on the reference grid. */ - int xstart; + uint_fast32_t xstart; /* The y-coordinate of the top-left corner of the tile on the reference grid. */ - int ystart; + uint_fast32_t ystart; /* The x-coordinate of the bottom-right corner of the tile on the reference grid (plus one). */ - int xend; + uint_fast32_t xend; /* The y-coordinate of the bottom-right corner of the tile on the reference grid (plus one). */ - int yend; + uint_fast32_t yend; /* The current progression change. */ jpc_pchg_t *pchg;