Correct overflows in opj_j2k_update_image_data

This commit is contained in:
mayeut 2015-05-16 02:51:31 +02:00
parent 2d24b6000d
commit 1fb24aba4b
1 changed files with 11 additions and 11 deletions

View File

@ -7987,10 +7987,10 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
OPJ_UINT32 l_width_src,l_height_src; OPJ_UINT32 l_width_src,l_height_src;
OPJ_UINT32 l_width_dest,l_height_dest; OPJ_UINT32 l_width_dest,l_height_dest;
OPJ_INT32 l_offset_x0_src, l_offset_y0_src, l_offset_x1_src, l_offset_y1_src; OPJ_INT32 l_offset_x0_src, l_offset_y0_src, l_offset_x1_src, l_offset_y1_src;
OPJ_INT32 l_start_offset_src, l_line_offset_src, l_end_offset_src ; size_t l_start_offset_src, l_line_offset_src, l_end_offset_src ;
OPJ_UINT32 l_start_x_dest , l_start_y_dest; OPJ_UINT32 l_start_x_dest , l_start_y_dest;
OPJ_UINT32 l_x0_dest, l_y0_dest, l_x1_dest, l_y1_dest; OPJ_UINT32 l_x0_dest, l_y0_dest, l_x1_dest, l_y1_dest;
OPJ_INT32 l_start_offset_dest, l_line_offset_dest; size_t l_start_offset_dest, l_line_offset_dest;
opj_image_comp_t * l_img_comp_src = 00; opj_image_comp_t * l_img_comp_src = 00;
opj_image_comp_t * l_img_comp_dest = 00; opj_image_comp_t * l_img_comp_dest = 00;
@ -8012,7 +8012,7 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
/* Allocate output component buffer if necessary */ /* Allocate output component buffer if necessary */
if (!l_img_comp_dest->data) { if (!l_img_comp_dest->data) {
l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_img_comp_dest->w * l_img_comp_dest->h, sizeof(OPJ_INT32)); l_img_comp_dest->data = (OPJ_INT32*) opj_calloc((size_t)l_img_comp_dest->w * (size_t)l_img_comp_dest->h, sizeof(OPJ_INT32));
if (! l_img_comp_dest->data) { if (! l_img_comp_dest->data) {
return OPJ_FALSE; return OPJ_FALSE;
} }
@ -8079,7 +8079,7 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
} }
} }
else { else {
l_start_x_dest = 0 ; l_start_x_dest = 0U;
l_offset_x0_src = (OPJ_INT32)l_x0_dest - l_res->x0; l_offset_x0_src = (OPJ_INT32)l_x0_dest - l_res->x0;
if ( l_x1_dest >= (OPJ_UINT32)l_res->x1 ) { if ( l_x1_dest >= (OPJ_UINT32)l_res->x1 ) {
@ -8106,7 +8106,7 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
} }
} }
else { else {
l_start_y_dest = 0 ; l_start_y_dest = 0U;
l_offset_y0_src = (OPJ_INT32)l_y0_dest - l_res->y0; l_offset_y0_src = (OPJ_INT32)l_y0_dest - l_res->y0;
if ( l_y1_dest >= (OPJ_UINT32)l_res->y1 ) { if ( l_y1_dest >= (OPJ_UINT32)l_res->y1 ) {
@ -8129,13 +8129,13 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
/*-----*/ /*-----*/
/* Compute the input buffer offset */ /* Compute the input buffer offset */
l_start_offset_src = l_offset_x0_src + l_offset_y0_src * (OPJ_INT32)l_width_src; l_start_offset_src = (size_t)l_offset_x0_src + (size_t)l_offset_y0_src * (size_t)l_width_src;
l_line_offset_src = l_offset_x1_src + l_offset_x0_src; l_line_offset_src = (size_t)l_offset_x1_src + (size_t)l_offset_x0_src;
l_end_offset_src = l_offset_y1_src * (OPJ_INT32)l_width_src - l_offset_x0_src; l_end_offset_src = (size_t)l_offset_y1_src * (size_t)l_width_src - (size_t)l_offset_x0_src;
/* Compute the output buffer offset */ /* Compute the output buffer offset */
l_start_offset_dest = (OPJ_INT32)(l_start_x_dest + l_start_y_dest * l_img_comp_dest->w); l_start_offset_dest = (size_t)l_start_x_dest + (size_t)l_start_y_dest * (size_t)l_img_comp_dest->w;
l_line_offset_dest = (OPJ_INT32)(l_img_comp_dest->w - l_width_dest); l_line_offset_dest = (size_t)l_img_comp_dest->w - (size_t)l_width_dest;
/* Move the output buffer to the first place where we will write*/ /* Move the output buffer to the first place where we will write*/
l_dest_ptr = l_img_comp_dest->data + l_start_offset_dest; l_dest_ptr = l_img_comp_dest->data + l_start_offset_dest;