Add overflow check in opj_j2k_update_image_data (#817)

author: Matthieu Darbois <mayeut@users.noreply.github.com> 2016-09-06 00:50:44 +0200
committer: GitHub <noreply@github.com> 2016-09-06 00:50:44 +0200
commit: ccd9ced49ea66f31b1d3d9dd07f4438fa94db328 (patch)
tree: 2df9824d4109bf435b40b91ddebc93a07f7f4755 /src
parent: 9f24b078c7193e886f6cfb329d3469eb1facf68d (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 9eaa155e..01d1a4ff 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -8217,8 +8217,14 @@ static OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data,
 
                 /* Allocate output component buffer if necessary */
                 if (!l_img_comp_dest->data) {
+                        OPJ_SIZE_T l_width = l_img_comp_dest->w;
+                        OPJ_SIZE_T l_height = l_img_comp_dest->h;
 
-                        l_img_comp_dest->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)l_img_comp_dest->w * (OPJ_SIZE_T)l_img_comp_dest->h, sizeof(OPJ_INT32));
+                        if ((l_height == 0U) || (l_width > (SIZE_MAX / l_height))) {
+                                /* would overflow */
+                                return OPJ_FALSE;
+                        }
+                        l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_width * l_height, sizeof(OPJ_INT32));
                         if (! l_img_comp_dest->data) {
                                 return OPJ_FALSE;
                         }
author	Matthieu Darbois <mayeut@users.noreply.github.com>	2016-09-06 00:50:44 +0200
committer	GitHub <noreply@github.com>	2016-09-06 00:50:44 +0200
commit	ccd9ced49ea66f31b1d3d9dd07f4438fa94db328 (patch)
tree	2df9824d4109bf435b40b91ddebc93a07f7f4755 /src
parent	9f24b078c7193e886f6cfb329d3469eb1facf68d (diff)