43 lines
1.6 KiB
Diff
43 lines
1.6 KiB
Diff
From 1e18a1a09af9f143400cedc54a210f616c80ffb9 Mon Sep 17 00:00:00 2001
|
|
From: DRC <information@libjpeg-turbo.org>
|
|
Date: Tue, 1 Jan 2019 18:57:36 -0600
|
|
Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
|
|
|
|
Fixes #304
|
|
---
|
|
diff --git turbojpeg.c turbojpeg.c
|
|
index 90a9ce6..3f7cd64 100644
|
|
--- turbojpeg.c
|
|
+++ turbojpeg.c
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved.
|
|
+ * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
|
|
int align, int *height, int *pixelFormat,
|
|
int flags)
|
|
{
|
|
- int retval = 0, tempc, pitch;
|
|
+ int retval = 0, tempc;
|
|
+ size_t pitch;
|
|
tjhandle handle = NULL;
|
|
tjinstance *this;
|
|
j_compress_ptr cinfo = NULL;
|
|
@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
|
|
*pixelFormat = cs2pf[cinfo->in_color_space];
|
|
|
|
pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
|
|
- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
|
|
+ if ((unsigned long long)pitch * (unsigned long long)(*height) >
|
|
+ (unsigned long long)((size_t)-1) ||
|
|
+ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
|
|
_throwg("tjLoadImage(): Memory allocation failure");
|
|
|
|
if (setjmp(this->jerr.setjmp_buffer)) {
|
|
--
|
|
2.20.1
|
|
|