[gs-cvs] rev 8298 - in trunk/gs/jasper/src/libjasper: jp2 jpc

Wed Oct 17 16:04:52 PDT 2007

Author: giles
Date: 2007-10-17 16:04:50 -0700 (Wed, 17 Oct 2007)
New Revision: 8298

Modified:
   trunk/gs/jasper/src/libjasper/jp2/jp2_cod.c
   trunk/gs/jasper/src/libjasper/jpc/jpc_cs.c
   trunk/gs/jasper/src/libjasper/jpc/jpc_dec.c
Log:
Avoid memory corruption with broken files.

Patch from the Ubuntu libjasper package.


Modified: trunk/gs/jasper/src/libjasper/jp2/jp2_cod.c
===================================================================

--- trunk/gs/jasper/src/libjasper/jp2/jp2_cod.c	2007-10-17 18:27:58 UTC (rev 8297)
+++ trunk/gs/jasper/src/libjasper/jp2/jp2_cod.c	2007-10-17 23:04:50 UTC (rev 8298)
@@ -247,7 +247,7 @@
 	box = 0;
 	tmpstream = 0;
 
-	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+	if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
 		goto error;
 	}
 	box->ops = &jp2_boxinfo_unk.ops;

Modified: trunk/gs/jasper/src/libjasper/jpc/jpc_cs.c
===================================================================
--- trunk/gs/jasper/src/libjasper/jpc/jpc_cs.c	2007-10-17 18:27:58 UTC (rev 8297)
+++ trunk/gs/jasper/src/libjasper/jpc/jpc_cs.c	2007-10-17 23:04:50 UTC (rev 8298)
@@ -991,7 +991,10 @@
 		compparms->numstepsizes = (len - n) / 2;
 		break;
 	}
-if (compparms->numstepsizes > 0) {
+if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+		jpc_qcx_destroycompparms(compparms);
+                return -1;
+        } else if (compparms->numstepsizes > 0) {
 	compparms->stepsizes = jas_malloc(compparms->numstepsizes *
 	  sizeof(uint_fast32_t));
 	assert(compparms->stepsizes);

Modified: trunk/gs/jasper/src/libjasper/jpc/jpc_dec.c
===================================================================
--- trunk/gs/jasper/src/libjasper/jpc/jpc_dec.c	2007-10-17 18:27:58 UTC (rev 8297)
+++ trunk/gs/jasper/src/libjasper/jpc/jpc_dec.c	2007-10-17 23:04:50 UTC (rev 8298)
@@ -1219,7 +1219,7 @@
 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
 	dec->numtiles = dec->numhtiles * dec->numvtiles;
-	if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
+	if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
 		return -1;
 	}
 
@@ -1243,7 +1243,7 @@
 		tile->pkthdrstreampos = 0;
 		tile->pptstab = 0;
 		tile->cp = 0;
-		if (!(tile->tcomps = jas_malloc(dec->numcomps *
+		if (!(tile->tcomps = jas_calloc(dec->numcomps,
 		  sizeof(jpc_dec_tcomp_t)))) {
 			return -1;
 		}

