Fix issue 833.

author trylab <trylab@users.noreply.github.com>

Tue, 13 Sep 2016 09:43:30 +0000 (17:43 +0800)

committer trylab <trylab@users.noreply.github.com>

Tue, 13 Sep 2016 09:43:30 +0000 (17:43 +0800)
author trylab <trylab@users.noreply.github.com>
Tue, 13 Sep 2016 09:43:30 +0000 (17:43 +0800)
committer trylab <trylab@users.noreply.github.com>
Tue, 13 Sep 2016 09:43:30 +0000 (17:43 +0800)
diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c

index d264823f09bcb36d667bbbc0be50228d7391b06f..ae83077caafce06d872fb498c766423c88fe77d6 100644 (file)
--- a/src/bin/jp2/convertbmp.c
+++ b/src/bin/jp2/convertbmp.c
@@ -675,10 +675,28 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
                 }
         }
         
+       if (Info_h.biWidth == 0 || Info_h.biHeight == 0) {
+               fclose(IN);
+               return NULL;
+       }
+       
+       if (Info_h.biBitCount > (((OPJ_UINT32)-1) - 31) / Info_h.biWidth) {
+               fclose(IN);
+               return NULL;
+       }
         stride = ((Info_h.biWidth * Info_h.biBitCount + 31U) / 32U) * 4U; /* rows are aligned on 32bits */
         if (Info_h.biBitCount == 4 && Info_h.biCompression == 2) { /* RLE 4 gets decoded as 8 bits data for now... */
+               if (8 > (((OPJ_UINT32)-1) - 31) / Info_h.biWidth) {
+                       fclose(IN);
+                       return NULL;
+               }
                 stride = ((Info_h.biWidth * 8U + 31U) / 32U) * 4U;
         }
+       
+       if (stride > ((OPJ_UINT32)-1) / sizeof(OPJ_UINT8) / Info_h.biHeight) {
+               fclose(IN);
+               return NULL;
+       }
         pData = (OPJ_UINT8 *) calloc(1, stride * Info_h.biHeight * sizeof(OPJ_UINT8));
         if (pData == NULL) {
                 fclose(IN);
author	trylab <trylab@users.noreply.github.com>
	Tue, 13 Sep 2016 09:43:30 +0000 (17:43 +0800)
committer	trylab <trylab@users.noreply.github.com>
	Tue, 13 Sep 2016 09:43:30 +0000 (17:43 +0800)