tgatoimage(): avoid excessive memory allocation attempt, and fixes unaligned load (#995)
This commit is contained in:
Even Rouault
parent
09e83407fa
commit
2cd30c2b06
|
|
@ -580,13 +580,10 @@ struct tga_header {
|
||||||
};
|
};
|
||||||
#endif /* INFORMATION_ONLY */
|
#endif /* INFORMATION_ONLY */
|
||||||
|
|
||||||
static unsigned short get_ushort(const unsigned char *data)
|
/* Returns a ushort from a little-endian serialized value */
|
||||||
|
static unsigned short get_tga_ushort(const unsigned char *data)
|
||||||
{
|
{
|
||||||
unsigned short val = *(const unsigned short *)data;
|
return data[0] | (data[1] << 8);
|
||||||
#ifdef OPJ_BIG_ENDIAN
|
|
||||||
val = ((val & 0xffU) << 8) | (val >> 8);
|
|
||||||
#endif
|
|
||||||
return val;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#define TGA_HEADER_SIZE 18
|
#define TGA_HEADER_SIZE 18
|
||||||
|
|
@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
|
||||||
id_len = tga[0];
|
id_len = tga[0];
|
||||||
/*cmap_type = tga[1];*/
|
/*cmap_type = tga[1];*/
|
||||||
image_type = tga[2];
|
image_type = tga[2];
|
||||||
/*cmap_index = get_ushort(&tga[3]);*/
|
/*cmap_index = get_tga_ushort(&tga[3]);*/
|
||||||
cmap_len = get_ushort(&tga[5]);
|
cmap_len = get_tga_ushort(&tga[5]);
|
||||||
cmap_entry_size = tga[7];
|
cmap_entry_size = tga[7];
|
||||||
|
|
||||||
|
|
||||||
#if 0
|
#if 0
|
||||||
x_origin = get_ushort(&tga[8]);
|
x_origin = get_tga_ushort(&tga[8]);
|
||||||
y_origin = get_ushort(&tga[10]);
|
y_origin = get_tga_ushort(&tga[10]);
|
||||||
#endif
|
#endif
|
||||||
image_w = get_ushort(&tga[12]);
|
image_w = get_tga_ushort(&tga[12]);
|
||||||
image_h = get_ushort(&tga[14]);
|
image_h = get_tga_ushort(&tga[14]);
|
||||||
pixel_depth = tga[16];
|
pixel_depth = tga[16];
|
||||||
image_desc = tga[17];
|
image_desc = tga[17];
|
||||||
|
|
||||||
|
|
@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
|
||||||
color_space = OPJ_CLRSPC_SRGB;
|
color_space = OPJ_CLRSPC_SRGB;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If the declared file size is > 10 MB, check that the file is big */
|
||||||
|
/* enough to avoid excessive memory allocations */
|
||||||
|
if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
|
||||||
|
char ch;
|
||||||
|
OPJ_UINT64 expected_file_size =
|
||||||
|
(OPJ_UINT64)image_width * image_height * numcomps;
|
||||||
|
long curpos = ftell(f);
|
||||||
|
if (expected_file_size > (OPJ_UINT64)INT_MAX) {
|
||||||
|
expected_file_size = (OPJ_UINT64)INT_MAX;
|
||||||
|
}
|
||||||
|
fseek(f, (long)expected_file_size - 1, SEEK_SET);
|
||||||
|
if (fread(&ch, 1, 1, f) != 1) {
|
||||||
|
fclose(f);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
fseek(f, curpos, SEEK_SET);
|
||||||
|
}
|
||||||
|
|
||||||
subsampling_dx = parameters->subsampling_dx;
|
subsampling_dx = parameters->subsampling_dx;
|
||||||
subsampling_dy = parameters->subsampling_dy;
|
subsampling_dy = parameters->subsampling_dy;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue