From: Even Rouault Date: Tue, 27 Nov 2018 22:31:30 +0000 (+0100) Subject: color_apply_icc_profile: avoid potential heap buffer overflow X-Git-Tag: v2.3.1~12^2 X-Git-Url: https://main.carlh.net/gitweb/?p=openjpeg.git;a=commitdiff_plain;h=2e5ab1d9987831c981ff05862e8ccf1381ed58ea color_apply_icc_profile: avoid potential heap buffer overflow Derived from a patch by Thuan Pham --- diff --git a/src/bin/common/color.c b/src/bin/common/color.c index a97d49f1..d3a2f38d 100644 --- a/src/bin/common/color.c +++ b/src/bin/common/color.c @@ -597,82 +597,92 @@ void color_apply_icc_profile(opj_image_t *image) } if (image->numcomps > 2) { /* RGB, RGBA */ - if (prec <= 8) { - unsigned char *inbuf, *outbuf, *in, *out; - - max = max_w * max_h; - nr_samples = (size_t)(max * 3U * sizeof(unsigned char)); - in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples); - out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples); - - if (inbuf == NULL || outbuf == NULL) { - goto fails0; - } - - r = image->comps[0].data; - g = image->comps[1].data; - b = image->comps[2].data; - - for (i = 0U; i < max; ++i) { - *in++ = (unsigned char) * r++; - *in++ = (unsigned char) * g++; - *in++ = (unsigned char) * b++; - } - - cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); - - r = image->comps[0].data; - g = image->comps[1].data; - b = image->comps[2].data; - - for (i = 0U; i < max; ++i) { - *r++ = (int) * out++; - *g++ = (int) * out++; - *b++ = (int) * out++; - } - ok = 1; + if ((image->comps[0].w == image->comps[1].w && + image->comps[0].w == image->comps[2].w) && + (image->comps[0].h == image->comps[1].h && + image->comps[0].h == image->comps[2].h)) { + if (prec <= 8) { + unsigned char *inbuf, *outbuf, *in, *out; + + max = max_w * max_h; + nr_samples = (size_t)(max * 3U * sizeof(unsigned char)); + in = inbuf = (unsigned char*)opj_image_data_alloc(nr_samples); + out = outbuf = (unsigned char*)opj_image_data_alloc(nr_samples); + + if (inbuf == NULL || outbuf == NULL) { + goto fails0; + } + + r = image->comps[0].data; + g = image->comps[1].data; + b = image->comps[2].data; + + for (i = 0U; i < max; ++i) { + *in++ = (unsigned char) * r++; + *in++ = (unsigned char) * g++; + *in++ = (unsigned char) * b++; + } + + cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); + + r = image->comps[0].data; + g = image->comps[1].data; + b = image->comps[2].data; + + for (i = 0U; i < max; ++i) { + *r++ = (int) * out++; + *g++ = (int) * out++; + *b++ = (int) * out++; + } + ok = 1; fails0: - opj_image_data_free(inbuf); - opj_image_data_free(outbuf); - } else { /* prec > 8 */ - unsigned short *inbuf, *outbuf, *in, *out; - - max = max_w * max_h; - nr_samples = (size_t)(max * 3U * sizeof(unsigned short)); - in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples); - out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples); - - if (inbuf == NULL || outbuf == NULL) { - goto fails1; - } - - r = image->comps[0].data; - g = image->comps[1].data; - b = image->comps[2].data; - - for (i = 0U ; i < max; ++i) { - *in++ = (unsigned short) * r++; - *in++ = (unsigned short) * g++; - *in++ = (unsigned short) * b++; - } - - cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); - - r = image->comps[0].data; - g = image->comps[1].data; - b = image->comps[2].data; - - for (i = 0; i < max; ++i) { - *r++ = (int) * out++; - *g++ = (int) * out++; - *b++ = (int) * out++; - } - ok = 1; + opj_image_data_free(inbuf); + opj_image_data_free(outbuf); + } else { /* prec > 8 */ + unsigned short *inbuf, *outbuf, *in, *out; + + max = max_w * max_h; + nr_samples = (size_t)(max * 3U * sizeof(unsigned short)); + in = inbuf = (unsigned short*)opj_image_data_alloc(nr_samples); + out = outbuf = (unsigned short*)opj_image_data_alloc(nr_samples); + + if (inbuf == NULL || outbuf == NULL) { + goto fails1; + } + + r = image->comps[0].data; + g = image->comps[1].data; + b = image->comps[2].data; + + for (i = 0U ; i < max; ++i) { + *in++ = (unsigned short) * r++; + *in++ = (unsigned short) * g++; + *in++ = (unsigned short) * b++; + } + + cmsDoTransform(transform, inbuf, outbuf, (cmsUInt32Number)max); + + r = image->comps[0].data; + g = image->comps[1].data; + b = image->comps[2].data; + + for (i = 0; i < max; ++i) { + *r++ = (int) * out++; + *g++ = (int) * out++; + *b++ = (int) * out++; + } + ok = 1; fails1: - opj_image_data_free(inbuf); - opj_image_data_free(outbuf); + opj_image_data_free(inbuf); + opj_image_data_free(outbuf); + } + } else { + fprintf(stderr, + "[ERROR] Image components should have the same width and height\n"); + cmsDeleteTransform(transform); + return; } } else { /* image->numcomps <= 2 : GRAY, GRAYA */ if (prec <= 8) {