Fix issue 833.

Add some overflow check operations.
author: trylab <trylab@users.noreply.github.com> 2016-09-13 17:43:30 +0800
committer: trylab <trylab@users.noreply.github.com> 2016-09-13 17:43:30 +0800
commit: 893143c8e13e491d0e884eb757580ec9575bbc8f (patch)
tree: 296169b1f2608a57c2bb7adc3bbb80d4ef6141d2 /src
parent: 805972f4c85fd4b34e08e499c12c68334706df47 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index d264823f..ae83077c 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -675,10 +675,28 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
 		}
 	}
 	
+	if (Info_h.biWidth == 0 || Info_h.biHeight == 0) {
+		fclose(IN);
+		return NULL;
+	}
+	
+	if (Info_h.biBitCount > (((OPJ_UINT32)-1) - 31) / Info_h.biWidth) {
+		fclose(IN);
+		return NULL;
+	}
 	stride = ((Info_h.biWidth * Info_h.biBitCount + 31U) / 32U) * 4U; /* rows are aligned on 32bits */
 	if (Info_h.biBitCount == 4 && Info_h.biCompression == 2) { /* RLE 4 gets decoded as 8 bits data for now... */
+		if (8 > (((OPJ_UINT32)-1) - 31) / Info_h.biWidth) {
+			fclose(IN);
+			return NULL;
+		}
 		stride = ((Info_h.biWidth * 8U + 31U) / 32U) * 4U;
 	}
+	
+	if (stride > ((OPJ_UINT32)-1) / sizeof(OPJ_UINT8) / Info_h.biHeight) {
+		fclose(IN);
+		return NULL;
+	}
 	pData = (OPJ_UINT8 *) calloc(1, stride * Info_h.biHeight * sizeof(OPJ_UINT8));
 	if (pData == NULL) {
 		fclose(IN);
author	trylab <trylab@users.noreply.github.com>	2016-09-13 17:43:30 +0800
committer	trylab <trylab@users.noreply.github.com>	2016-09-13 17:43:30 +0800
commit	893143c8e13e491d0e884eb757580ec9575bbc8f (patch)
tree	296169b1f2608a57c2bb7adc3bbb80d4ef6141d2 /src
parent	805972f4c85fd4b34e08e499c12c68334706df47 (diff)