1diff --git a/java/TJUnitTest.java b/java/TJUnitTest.java 2index 91ad5fd..07c59d8 100644 3--- a/java/TJUnitTest.java 4+++ b/java/TJUnitTest.java 5@@ -837,6 +837,54 @@ final class TJUnitTest { 6 if (tjd != null) tjd.close(); 7 } 8 9+ static void overflowTest() throws Exception { 10+ /* Ensure that the various buffer size methods don't overflow */ 11+ int size = 0; 12+ boolean exception = false; 13+ try { 14+ exception = false; 15+ size = TJ.bufSize(18919, 18919, TJ.SAMP_444); 16+ } catch (Exception e) { exception = true; } 17+ if (!exception || size != 0) 18+ throw new Exception("TJ.bufSize() overflow"); 19+ try { 20+ exception = false; 21+ size = TJ.bufSizeYUV(26755, 1, 26755, TJ.SAMP_444); 22+ } catch (Exception e) { exception = true; } 23+ if (!exception || size != 0) 24+ throw new Exception("TJ.bufSizeYUV() overflow"); 25+ try { 26+ exception = false; 27+ size = TJ.bufSizeYUV(26754, 3, 26754, TJ.SAMP_444); 28+ } catch (Exception e) { exception = true; } 29+ if (!exception || size != 0) 30+ throw new Exception("TJ.bufSizeYUV() overflow"); 31+ try { 32+ exception = false; 33+ size = TJ.bufSizeYUV(26754, -1, 26754, TJ.SAMP_444); 34+ } catch (Exception e) { exception = true; } 35+ if (!exception || size != 0) 36+ throw new Exception("TJ.bufSizeYUV() overflow"); 37+ try { 38+ exception = false; 39+ size = TJ.planeSizeYUV(0, 46341, 0, 46341, TJ.SAMP_444); 40+ } catch (Exception e) { exception = true; } 41+ if (!exception || size != 0) 42+ throw new Exception("TJ.planeSizeYUV() overflow"); 43+ try { 44+ exception = false; 45+ size = TJ.planeWidth(0, Integer.MAX_VALUE, TJ.SAMP_420); 46+ } catch (Exception e) { exception = true; } 47+ if (!exception || size != 0) 48+ throw new Exception("TJ.planeWidth() overflow"); 49+ try { 50+ exception = false; 51+ size = TJ.planeHeight(0, Integer.MAX_VALUE, TJ.SAMP_420); 52+ } catch (Exception e) { exception = true; } 53+ if (!exception || size != 0) 54+ throw new Exception("TJ.planeHeight() overflow"); 55+ } 56+ 57 static void bufSizeTest() throws Exception { 58 int w, h, i, subsamp; 59 byte[] srcBuf, dstBuf = null; 60@@ -912,6 +960,7 @@ final class TJUnitTest { 61 } 62 if (doYUV) 63 FORMATS_4BYTE[4] = -1; 64+ overflowTest(); 65 doTest(35, 39, bi ? FORMATS_3BYTEBI : FORMATS_3BYTE, TJ.SAMP_444, 66 testName); 67 doTest(39, 41, bi ? FORMATS_4BYTEBI : FORMATS_4BYTE, TJ.SAMP_444, 68 69diff --git a/src/jcphuff.c b/src/jcphuff.c 70index 1101987..7c9d7cf 100644 71--- a/src/jcphuff.c 72+++ b/src/jcphuff.c 73@@ -664,7 +664,7 @@ encode_mcu_AC_first(j_compress_ptr cinfo 74 emit_restart(entropy, entropy->next_restart_num); 75 76 #ifdef WITH_SIMD 77- cvalue = values = (UJCOEF *)PAD((JUINTPTR)values_unaligned, 16); 78+ cvalue = values = (UJCOEF *)PAD((size_t)values_unaligned, 16); 79 #else 80 /* Not using SIMD, so alignment is not needed */ 81 cvalue = values = values_unaligned; 82@@ -934,7 +934,7 @@ encode_mcu_AC_refine(j_compress_ptr cinf 83 emit_restart(entropy, entropy->next_restart_num); 84 85 #ifdef WITH_SIMD 86- cabsvalue = absvalues = (UJCOEF *)PAD((JUINTPTR)absvalues_unaligned, 16); 87+ cabsvalue = absvalues = (UJCOEF *)PAD((size_t)absvalues_unaligned, 16); 88 #else 89 /* Not using SIMD, so alignment is not needed */ 90 cabsvalue = absvalues = absvalues_unaligned; 91diff --git a/src/jerror.c b/src/jerror.c 92index 936c4f5..aa0c6ee 100644 93--- a/src/jerror.c 94+++ b/src/jerror.c 95@@ -26,6 +26,7 @@ 96 #include "jpeglib.h" 97 #include "jversion.h" 98 #include "jerror.h" 99+#include <stdlib.h> 100 101 #ifdef USE_WINDOWS_MESSAGEBOX 102 #include <windows.h> 103 104diff --git a/src/tjunittest.c b/src/tjunittest.c 105index f59939f..38ada63 100644 106--- a/src/tjunittest.c 107+++ b/src/tjunittest.c 108@@ -711,10 +711,10 @@ static void overflowTest(void) 109 CHECKSIZE(tj3YUVPlaneSize()); 110 ulsize = tjPlaneSizeYUV(0, 65536, 0, 65536, TJSAMP_444); 111 CHECKSIZEUL(tjPlaneSizeYUV()); 112- intsize = tj3YUVPlaneWidth(0, INT_MAX, TJSAMP_420); 113- CHECKSIZEINT(tj3YUVPlaneWidth()); 114- intsize = tj3YUVPlaneHeight(0, INT_MAX, TJSAMP_420); 115- CHECKSIZEINT(tj3YUVPlaneHeight()); 116+ intsize = tjPlaneWidth(0, INT_MAX, TJSAMP_420); 117+ CHECKSIZEINT(tjPlaneWidth()); 118+ intsize = tjPlaneHeight(0, INT_MAX, TJSAMP_420); 119+ CHECKSIZEINT(tjPlaneHeight()); 120 121 bailout: 122 return; 123diff --git a/java/turbojpeg-jni.c b/java/turbojpeg-jni.c 124index 1b728e3..053edbd 100644 125--- a/java/turbojpeg-jni.c 126+++ b/java/turbojpeg-jni.c 127@@ -97,10 +97,10 @@ 128 JNIEXPORT jint JNICALL Java_org_libjpegturbo_turbojpeg_TJ_bufSize 129 (JNIEnv *env, jclass cls, jint width, jint height, jint jpegSubsamp) 130 { 131- size_t retval = tj3JPEGBufSize(width, height, jpegSubsamp); 132+ unsigned long retval = tj3JPEGBufSize(width, height, jpegSubsamp); 133 134- if (retval == 0) THROW_ARG(tj3GetErrorStr(NULL)); 135- if (retval > (size_t)INT_MAX) 136+ if (retval == (unsigned long)-1) THROW_ARG(tj3GetErrorStr(NULL)); 137+ if (retval > (unsigned long)INT_MAX) 138 THROW_ARG("Image is too large"); 139 140 bailout: 141@@ -111,10 +111,10 @@ bailout: 142 JNIEXPORT jint JNICALL Java_org_libjpegturbo_turbojpeg_TJ_bufSizeYUV__IIII 143 (JNIEnv *env, jclass cls, jint width, jint align, jint height, jint subsamp) 144 { 145- size_t retval = tj3YUVBufSize(width, align, height, subsamp); 146+ unsigned long retval = tj3YUVBufSize(width, align, height, subsamp); 147 148- if (retval == 0) THROW_ARG(tj3GetErrorStr(NULL)); 149- if (retval > (size_t)INT_MAX) 150+ if (retval == unsigned long)-1) THROW_ARG(tj3GetErrorStr(NULL)); 151+ if (retval > (unsigned long)INT_MAX) 152 THROW_ARG("Image is too large"); 153 154 bailout: 155@@ -126,10 +126,10 @@ JNIEXPORT jint JNICALL Java_org_libjpegt 156 (JNIEnv *env, jclass cls, jint componentID, jint width, jint stride, 157 jint height, jint subsamp) 158 { 159- size_t retval = tj3YUVPlaneSize(componentID, width, stride, height, subsamp); 160+ unsigned long retval = tj3YUVPlaneSize(componentID, width, stride, height, subsamp); 161 162- if (retval == 0) THROW_ARG(tj3GetErrorStr(NULL)); 163- if (retval > (size_t)INT_MAX) 164+ if (retval == unsigned long)-1) THROW_ARG(tj3GetErrorStr(NULL)); 165+ if (retval > (unsigned long)INT_MAX) 166 THROW_ARG("Image is too large"); 167 168 bailout: 169 170