Merge pull request #1170 from rouault/fix_color_apply_icc_profile

color_apply_icc_profile: avoid potential heap buffer overflow
This commit is contained in:
Even Rouault 2018-11-28 00:04:30 +01:00 committed by GitHub
commit e0f5212888
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 68 additions and 58 deletions

View File

@ -597,82 +597,92 @@ void color_apply_icc_profile(opj_image_t *image)
} }
if (image->numcomps > 2) { /* RGB, RGBA */ if (image->numcomps > 2) { /* RGB, RGBA */
if (prec <= 8) { if ((image->comps[0].w == image->comps[1].w &&
unsigned char *inbuf, *outbuf, *in, *out; image->comps[0].w == image->comps[2].w) &&
(image->comps[0].h == image->comps[1].h &&
image->comps[0].h == image->comps[2].h)) {
if (prec <= 8) {
unsigned char *inbuf, *outbuf, *in, *out;
max = max_w * max_h; max = max_w * max_h;
nr_samples = (size_t)(max * 3U * sizeof(unsigned char)); nr_samples = (size_t)(max * 3U * sizeof(unsigned char));
in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples); in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples); out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples);
if (inbuf == NULL || outbuf == NULL) { if (inbuf == NULL || outbuf == NULL) {
goto fails0; goto fails0;
} }
r = image->comps[0].data; r = image->comps[0].data;
g = image->comps[1].data; g = image->comps[1].data;
b = image->comps[2].data; b = image->comps[2].data;
for (i = 0U; i < max; ++i) { for (i = 0U; i < max; ++i) {
*in++ = (unsigned char) * r++; *in++ = (unsigned char) * r++;
*in++ = (unsigned char) * g++; *in++ = (unsigned char) * g++;
*in++ = (unsigned char) * b++; *in++ = (unsigned char) * b++;
} }
cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
r = image->comps[0].data; r = image->comps[0].data;
g = image->comps[1].data; g = image->comps[1].data;
b = image->comps[2].data; b = image->comps[2].data;
for (i = 0U; i < max; ++i) { for (i = 0U; i < max; ++i) {
*r++ = (int) * out++; *r++ = (int) * out++;
*g++ = (int) * out++; *g++ = (int) * out++;
*b++ = (int) * out++; *b++ = (int) * out++;
} }
ok = 1; ok = 1;
fails0: fails0:
opj_image_data_free(inbuf); opj_image_data_free(inbuf);
opj_image_data_free(outbuf); opj_image_data_free(outbuf);
} else { /* prec > 8 */ } else { /* prec > 8 */
unsigned short *inbuf, *outbuf, *in, *out; unsigned short *inbuf, *outbuf, *in, *out;
max = max_w * max_h; max = max_w * max_h;
nr_samples = (size_t)(max * 3U * sizeof(unsigned short)); nr_samples = (size_t)(max * 3U * sizeof(unsigned short));
in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples); in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples); out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples);
if (inbuf == NULL || outbuf == NULL) { if (inbuf == NULL || outbuf == NULL) {
goto fails1; goto fails1;
} }
r = image->comps[0].data; r = image->comps[0].data;
g = image->comps[1].data; g = image->comps[1].data;
b = image->comps[2].data; b = image->comps[2].data;
for (i = 0U ; i < max; ++i) { for (i = 0U ; i < max; ++i) {
*in++ = (unsigned short) * r++; *in++ = (unsigned short) * r++;
*in++ = (unsigned short) * g++; *in++ = (unsigned short) * g++;
*in++ = (unsigned short) * b++; *in++ = (unsigned short) * b++;
} }
cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max);
r = image->comps[0].data; r = image->comps[0].data;
g = image->comps[1].data; g = image->comps[1].data;
b = image->comps[2].data; b = image->comps[2].data;
for (i = 0; i < max; ++i) { for (i = 0; i < max; ++i) {
*r++ = (int) * out++; *r++ = (int) * out++;
*g++ = (int) * out++; *g++ = (int) * out++;
*b++ = (int) * out++; *b++ = (int) * out++;
} }
ok = 1; ok = 1;
fails1: fails1:
opj_image_data_free(inbuf); opj_image_data_free(inbuf);
opj_image_data_free(outbuf); opj_image_data_free(outbuf);
}
} else {
fprintf(stderr,
"[ERROR] Image components should have the same width and height\n");
cmsDeleteTransform(transform);
return;
} }
} else { /* image->numcomps <= 2 : GRAY, GRAYA */ } else { /* image->numcomps <= 2 : GRAY, GRAYA */
if (prec <= 8) { if (prec <= 8) {