| diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c |
| index a6648f6..8128d98 100644 |
| --- a/third_party/libopenjpeg20/jp2.c |
| +++ b/third_party/libopenjpeg20/jp2.c |
| @@ -972,6 +972,14 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) |
| nr_channels = color->jp2_pclr->nr_channels; |
| |
| old_comps = image->comps; |
| + /* Overflow check: prevent integer overflow */ |
| + for (i = 0; i < nr_channels; ++i) { |
| + cmp = cmap[i].cmp; |
| + if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) { |
| + return; |
| + } |
| + } |
| + |
| new_comps = (opj_image_comp_t*) |
| opj_malloc(nr_channels * sizeof(opj_image_comp_t)); |
| if (!new_comps) { |
| @@ -1011,22 +1019,28 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) |
| /* Palette mapping: */ |
| cmp = cmap[i].cmp; pcol = cmap[i].pcol; |
| src = old_comps[cmp].data; |
| - assert( src ); |
| + dst = new_comps[i].data; |
| max = new_comps[i].w * new_comps[i].h; |
| |
| + /* Prevent null pointer access */ |
| + if (!src || !dst) { |
| + for (j = 0; j < nr_channels; ++j) { |
| + opj_free(new_comps[j].data); |
| + } |
| + opj_free(new_comps); |
| + new_comps = NULL; |
| + return; |
| + } |
| + |
| /* Direct use: */ |
| if(cmap[i].mtyp == 0) { |
| assert( cmp == 0 ); // probably wrong. |
| - dst = new_comps[i].data; |
| - assert( dst ); |
| for(j = 0; j < max; ++j) { |
| dst[j] = src[j]; |
| } |
| } |
| else { |
| assert( i == pcol ); // probably wrong? |
| - dst = new_comps[i].data; |
| - assert( dst ); |
| for(j = 0; j < max; ++j) { |
| /* The index */ |
| if((k = src[j]) < 0) k = 0; else if(k > top_k) k = top_k; |