Avoid heap buffer overflow in function pnmtoimage of convert.c, and unsigned integer overflow in opj_image_create() (CVE-2016-9118, #861)

author: Even Rouault <even.rouault@spatialys.com> 2017-07-30 18:43:25 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2017-07-30 18:43:25 +0200
commit: c22cbd8bdf8ff2ae372f94391a4be2d322b36b41 (patch)
tree: 1fc5f67a7ffd985526567f867b8bbe9f4ee89408 /src/lib
parent: 83342f2aafcab4599b49f780e35fd249e8402b61 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/openjp2/image.c b/src/lib/openjp2/image.c
index e62b416c..d00a2370 100644
--- a/src/lib/openjp2/image.c
+++ b/src/lib/openjp2/image.c
@@ -68,7 +68,13 @@ opj_image_t* OPJ_CALLCONV opj_image_create(OPJ_UINT32 numcmpts,
             comp->prec = cmptparms[compno].prec;
             comp->bpp = cmptparms[compno].bpp;
             comp->sgnd = cmptparms[compno].sgnd;
-            comp->data = (OPJ_INT32*) opj_calloc(comp->w * comp->h, sizeof(OPJ_INT32));
+            if (comp->h != 0 && (OPJ_SIZE_T)comp->w > SIZE_MAX / comp->h) {
+                // TODO event manager
+                opj_image_destroy(image);
+                return NULL;
+            }
+            comp->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)comp->w * comp->h,
+                                                 sizeof(OPJ_INT32));
             if (!comp->data) {
                 /* TODO replace with event manager, breaks API */
                 /* fprintf(stderr,"Unable to allocate memory for image.\n"); */
author	Even Rouault <even.rouault@spatialys.com>	2017-07-30 18:43:25 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2017-07-30 18:43:25 +0200
commit	c22cbd8bdf8ff2ae372f94391a4be2d322b36b41 (patch)
tree	1fc5f67a7ffd985526567f867b8bbe9f4ee89408 /src/lib
parent	83342f2aafcab4599b49f780e35fd249e8402b61 (diff)