blob: d978f06120e858c11fd2d376aee149d7c7d7db5a [file] [log] [blame] [edit]
diff --git a/third_party/libopenjpeg/jp2.c b/third_party/libopenjpeg/jp2.c
index 38715b80f..dcaf3872c 100644
--- a/third_party/libopenjpeg/jp2.c
+++ b/third_party/libopenjpeg/jp2.c
@@ -1064,6 +1064,14 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
}
old_comps = image->comps;
+ /* Overflow check: prevent integer overflow */
+ for (i = 0; i < nr_channels; ++i) {
+ cmp = cmap[i].cmp;
+ if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) {
+ return OPJ_FALSE;
+ }
+ }
+
new_comps = (opj_image_comp_t*)
opj_malloc(nr_channels * sizeof(opj_image_comp_t));
if (!new_comps) {
@@ -1108,20 +1116,26 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
cmp = cmap[i].cmp;
pcol = cmap[i].pcol;
src = old_comps[cmp].data;
- assert(src); /* verified above */
+ dst = new_comps[i].data;
max = new_comps[i].w * new_comps[i].h;
+ /* Prevent null pointer access */
+ if (!src || !dst) {
+ for (j = 0; j < nr_channels; ++j) {
+ opj_free(new_comps[j].data);
+ }
+ opj_free(new_comps);
+ new_comps = NULL;
+ return OPJ_FALSE;
+ }
+
/* Direct use: */
if (cmap[i].mtyp == 0) {
- dst = new_comps[i].data;
- assert(dst);
for (j = 0; j < max; ++j) {
dst[j] = src[j];
}
} else {
assert( i == pcol ); // probably wrong?
- dst = new_comps[i].data;
- assert(dst);
for (j = 0; j < max; ++j) {
/* The index */
if ((k = src[j]) < 0) {