pgxtoimage(): avoid excessive memory allocation attempt (#999)

This commit is contained in:
Even Rouault 2017-08-19 15:45:54 +02:00
parent e528531922
commit 3eed024eb4
1 changed files with 24 additions and 0 deletions

View File

@ -1163,6 +1163,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
opj_image_cmptparm_t cmptparm; /* maximum of 1 component */ opj_image_cmptparm_t cmptparm; /* maximum of 1 component */
opj_image_t * image = NULL; opj_image_t * image = NULL;
int adjustS, ushift, dshift, force8; int adjustS, ushift, dshift, force8;
OPJ_UINT64 expected_file_size;
char endian1, endian2, sign; char endian1, endian2, sign;
char signtmp[32]; char signtmp[32];
@ -1213,6 +1214,29 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
return NULL; return NULL;
} }
if (w < 1 || h < 1 || prec < 1 || prec > 31) {
fclose(f);
fprintf(stderr, "Bad pgx header, please check input file\n");
return NULL;
}
expected_file_size =
(OPJ_UINT64)w * (OPJ_UINT64)h * (prec > 16 ? 4 : prec > 8 ? 2 : 1);
if (expected_file_size > 10000000U) {
char ch;
long curpos = ftell(f);
if (expected_file_size > (OPJ_UINT64)INT_MAX) {
expected_file_size = (OPJ_UINT64)INT_MAX;
}
fseek(f, (long)expected_file_size - 1, SEEK_SET);
if (fread(&ch, 1, 1, f) != 1) {
fprintf(stderr, "File too short\n");
fclose(f);
return NULL;
}
fseek(f, curpos, SEEK_SET);
}
/* initialize image component */ /* initialize image component */
cmptparm.x0 = (OPJ_UINT32)parameters->image_offset_x0; cmptparm.x0 = (OPJ_UINT32)parameters->image_offset_x0;