X-Git-Url: https://git.carlh.net/gitweb/?a=blobdiff_plain;f=src%2Fbin%2Fjp2%2Fconvertbmp.c;h=ae83077caafce06d872fb498c766423c88fe77d6;hb=4d5c5e7c4891491d61c7deaf77d9238b3621c32a;hp=0678d9d39f51dc185cc9de2460342aa8a2c7d0ff;hpb=faf63fddad6efab9fa4dcb14cd290766722a7eec;p=openjpeg.git

diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
index 0678d9d3..ae83077c 100644
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -181,7 +181,7 @@ static void bmpmask32toimage(const OPJ_UINT8* pData, OPJ_UINT32 stride, opj_imag
 	OPJ_UINT32 width, height;
 	OPJ_UINT32 x, y;
 	const OPJ_UINT8 *pSrc = NULL;
-	OPJ_BOOL hasAlpha = OPJ_FALSE;
+	OPJ_BOOL hasAlpha;
 	OPJ_UINT32 redShift,   redPrec;
 	OPJ_UINT32 greenShift, greenPrec;
 	OPJ_UINT32 blueShift,  bluePrec;
@@ -239,7 +239,7 @@ static void bmpmask16toimage(const OPJ_UINT8* pData, OPJ_UINT32 stride, opj_imag
 	OPJ_UINT32 width, height;
 	OPJ_UINT32 x, y;
 	const OPJ_UINT8 *pSrc = NULL;
-	OPJ_BOOL hasAlpha = OPJ_FALSE;
+	OPJ_BOOL hasAlpha;
 	OPJ_UINT32 redShift,   redPrec;
 	OPJ_UINT32 greenShift, greenPrec;
 	OPJ_UINT32 blueShift,  bluePrec;
@@ -675,10 +675,28 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
 		}
 	}
 	
+	if (Info_h.biWidth == 0 || Info_h.biHeight == 0) {
+		fclose(IN);
+		return NULL;
+	}
+	
+	if (Info_h.biBitCount > (((OPJ_UINT32)-1) - 31) / Info_h.biWidth) {
+		fclose(IN);
+		return NULL;
+	}
 	stride = ((Info_h.biWidth * Info_h.biBitCount + 31U) / 32U) * 4U; /* rows are aligned on 32bits */
 	if (Info_h.biBitCount == 4 && Info_h.biCompression == 2) { /* RLE 4 gets decoded as 8 bits data for now... */
+		if (8 > (((OPJ_UINT32)-1) - 31) / Info_h.biWidth) {
+			fclose(IN);
+			return NULL;
+		}
 		stride = ((Info_h.biWidth * 8U + 31U) / 32U) * 4U;
 	}
+	
+	if (stride > ((OPJ_UINT32)-1) / sizeof(OPJ_UINT8) / Info_h.biHeight) {
+		fclose(IN);
+		return NULL;
+	}
 	pData = (OPJ_UINT8 *) calloc(1, stride * Info_h.biHeight * sizeof(OPJ_UINT8));
 	if (pData == NULL) {
 		fclose(IN);
@@ -729,6 +747,7 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
 	image = opj_image_create(numcmpts, &cmptparm[0], (numcmpts == 1U) ? OPJ_CLRSPC_GRAY : OPJ_CLRSPC_SRGB);
 	if(!image) {
 		fclose(IN);
+		free(pData);
 		return NULL;
 	}
 	if (numcmpts == 4U) {
@@ -890,7 +909,7 @@ int imagetobmp(opj_image_t * image, const char *outfile) {
             fprintf(fdest, "%c%c%c", bc, gc, rc);
 
             if ((i + 1) % w == 0) {
-                for (pad = (3 * w) % 4 ? 4 - (3 * w) % 4 : 0; pad > 0; pad--)	/* ADD */
+                for (pad = ((3 * w) % 4) ? (4 - (3 * w) % 4) : 0; pad > 0; pad--)	/* ADD */
                     fprintf(fdest, "%c", 0);
             }
         }
@@ -902,6 +921,10 @@ int imagetobmp(opj_image_t * image, const char *outfile) {
         <<-- <<-- <<-- <<-- */
 
         fdest = fopen(outfile, "wb");
+        if (!fdest) {
+            fprintf(stderr, "ERROR -> failed to open %s for writing\n", outfile);
+            return 1;
+        }
         w = (int)image->comps[0].w;
         h = (int)image->comps[0].h;
 
@@ -962,7 +985,7 @@ int imagetobmp(opj_image_t * image, const char *outfile) {
             fprintf(fdest, "%c", (OPJ_UINT8)r);
 
             if ((i + 1) % w == 0) {
-                for (pad = w % 4 ? 4 - w % 4 : 0; pad > 0; pad--)	/* ADD */
+                for (pad = (w % 4) ? (4 - w % 4) : 0; pad > 0; pad--)	/* ADD */
                     fprintf(fdest, "%c", 0);
             }
         }