1diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c 2index 8dc2b977f..3e23bc363 100644 3--- a/third_party/libopenjpeg20/jp2.c 4+++ b/third_party/libopenjpeg20/jp2.c 5@@ -1058,6 +1058,14 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image, 6 } 7 8 old_comps = image->comps; 9+ /* Overflow check: prevent integer overflow */ 10+ for (i = 0; i < nr_channels; ++i) { 11+ cmp = cmap[i].cmp; 12+ if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) { 13+ return OPJ_FALSE; 14+ } 15+ } 16+ 17 new_comps = (opj_image_comp_t*) 18 opj_malloc(nr_channels * sizeof(opj_image_comp_t)); 19 if (!new_comps) { 20@@ -1102,20 +1110,26 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image, 21 cmp = cmap[i].cmp; 22 pcol = cmap[i].pcol; 23 src = old_comps[cmp].data; 24- assert(src); /* verified above */ 25+ dst = new_comps[i].data; 26 max = new_comps[i].w * new_comps[i].h; 27 28+ /* Prevent null pointer access */ 29+ if (!src || !dst) { 30+ for (j = 0; j < nr_channels; ++j) { 31+ opj_free(new_comps[j].data); 32+ } 33+ opj_free(new_comps); 34+ new_comps = NULL; 35+ return OPJ_FALSE; 36+ } 37+ 38 /* Direct use: */ 39 if (cmap[i].mtyp == 0) { 40- dst = new_comps[i].data; 41- assert(dst); 42 for (j = 0; j < max; ++j) { 43 dst[j] = src[j]; 44 } 45 } else { 46 assert( i == pcol ); // probably wrong? 47- dst = new_comps[i].data; 48- assert(dst); 49 for (j = 0; j < max; ++j) { 50 /* The index */ 51 if ((k = src[j]) < 0) { 52