generic-library/webp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

imageio_util: add ImgIoUtilCheckSizeArgumentsOverflow

Browse Source 
and use it to validate decoder allocations. fixes a crash in jpegdec at
least.

BUG=webp:312

Change-Id: Ia940590098f29510add6aad10a8dfe9e9ea46bf4
(cherry picked from commit bc86b7a8a1)
This commit is contained in:
James Zern
2016-10-07 13:18:29 -07:00
parent e375080d8f
commit c284780f0a
6 changed files with 53 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
examples/jpegdec.c
View File

@@ -258,7 +258,8 @@ int ReadJPEG(const uint8_t* const data, size_t data_size,
WebPPicture* const pic, int keep_alpha,
Metadata* const metadata) {
volatile int ok = 0;
int stride, width, height;
int width, height;
int64_t stride;
volatile struct jpeg_decompress_struct dinfo;
struct my_error_mgr jerr;
uint8_t* volatile rgb = NULL;
@@ -297,9 +298,14 @@ int ReadJPEG(const uint8_t* const data, size_t data_size,
width = dinfo.output_width;
height = dinfo.output_height;
stride = dinfo.output_width * dinfo.output_components * sizeof(*rgb);
stride = (int64_t)dinfo.output_width * dinfo.output_components * sizeof(*rgb);
rgb = (uint8_t*)malloc(stride * height);
if (stride != (int)stride ||
!ImgIoUtilCheckSizeArgumentsOverflow(stride, height)) {
goto End;
}
rgb = (uint8_t*)malloc((size_t)stride * height);
if (rgb == NULL) {
goto End;
}
@@ -326,7 +332,7 @@ int ReadJPEG(const uint8_t* const data, size_t data_size,
// WebP conversion.
pic->width = width;
pic->height = height;
ok = WebPPictureImportRGB(pic, rgb, stride);
ok = WebPPictureImportRGB(pic, rgb, (int)stride);
if (!ok) goto Error;
End: