1diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c 2index 1fa607d66..78a2d22ff 100644 3--- a/third_party/libopenjpeg20/jp2.c 4+++ b/third_party/libopenjpeg20/jp2.c 5@@ -1049,6 +1049,14 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image, 6 } 7 8 old_comps = image->comps; 9+ /* Overflow check: prevent integer overflow */ 10+ for (i = 0; i < nr_channels; ++i) { 11+ cmp = cmap[i].cmp; 12+ if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) { 13+ return OPJ_FALSE; 14+ } 15+ } 16+ 17 new_comps = (opj_image_comp_t*) 18 opj_malloc(nr_channels * sizeof(opj_image_comp_t)); 19 if (!new_comps) { 20@@ -1093,21 +1101,27 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image, 21 cmp = cmap[i].cmp; 22 pcol = cmap[i].pcol; 23 src = old_comps[cmp].data; 24- assert(src); /* verified above */ 25+ dst = new_comps[i].data; 26 max = new_comps[i].w * new_comps[i].h; 27 28+ /* Prevent null pointer access */ 29+ if (!src || !dst) { 30+ for (j = 0; j < nr_channels; ++j) { 31+ opj_free(new_comps[j].data); 32+ } 33+ opj_free(new_comps); 34+ new_comps = NULL; 35+ return OPJ_FALSE; 36+ } 37+ 38 /* Direct use: */ 39 if (cmap[i].mtyp == 0) { 40 assert( cmp == 0 ); // probably wrong. 41- dst = new_comps[i].data; 42- assert(dst); 43 for (j = 0; j < max; ++j) { 44 dst[j] = src[j]; 45 } 46 } else { 47 assert( i == pcol ); // probably wrong? 48- dst = new_comps[i].data; 49- assert(dst); 50 for (j = 0; j < max; ++j) { 51 /* The index */ 52 if ((k = src[j]) < 0) { 53