| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- From 3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 Mon Sep 17 00:00:00 2001
- From: DRC <information@libjpeg-turbo.org>
- Date: Tue, 1 Jan 2019 18:57:36 -0600
- Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
- Fixes #304
- [baruch: drop the ChangeLog.md hunk]
- Signed-off-by: Baruch Siach <baruch@tkos.co.il>
- ---
- Upstream status: commit 3d9c64e9f8aa
- ChangeLog.md | 4 ++++
- turbojpeg.c | 9 ++++++---
- 2 files changed, 10 insertions(+), 3 deletions(-)
- diff --git a/turbojpeg.c b/turbojpeg.c
- index 90a9ce6a0be8..3f7cd640677f 100644
- --- a/turbojpeg.c
- +++ b/turbojpeg.c
- @@ -1,5 +1,5 @@
- /*
- - * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved.
- + * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- @@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
- int align, int *height, int *pixelFormat,
- int flags)
- {
- - int retval = 0, tempc, pitch;
- + int retval = 0, tempc;
- + size_t pitch;
- tjhandle handle = NULL;
- tjinstance *this;
- j_compress_ptr cinfo = NULL;
- @@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
- *pixelFormat = cs2pf[cinfo->in_color_space];
-
- pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
- - if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
- + if ((unsigned long long)pitch * (unsigned long long)(*height) >
- + (unsigned long long)((size_t)-1) ||
- + (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
- _throwg("tjLoadImage(): Memory allocation failure");
-
- if (setjmp(this->jerr.setjmp_buffer)) {
- --
- 2.20.1
|
