• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c
2index 8dc2b977f..3e23bc363 100644
3--- a/third_party/libopenjpeg20/jp2.c
4+++ b/third_party/libopenjpeg20/jp2.c
5@@ -1058,6 +1058,14 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
6     }
7
8     old_comps = image->comps;
9+    /* Overflow check: prevent integer overflow */
10+    for (i = 0; i < nr_channels; ++i) {
11+      cmp = cmap[i].cmp;
12+      if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1) / sizeof(OPJ_INT32) / old_comps[cmp].h) {
13+        return OPJ_FALSE;
14+      }
15+    }
16+
17     new_comps = (opj_image_comp_t*)
18                 opj_malloc(nr_channels * sizeof(opj_image_comp_t));
19     if (!new_comps) {
20@@ -1102,20 +1110,26 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
21         cmp = cmap[i].cmp;
22         pcol = cmap[i].pcol;
23         src = old_comps[cmp].data;
24-        assert(src); /* verified above */
25+        dst = new_comps[i].data;
26         max = new_comps[i].w * new_comps[i].h;
27
28+        /* Prevent null pointer access */
29+        if (!src || !dst) {
30+          for (j = 0; j < nr_channels; ++j) {
31+            opj_free(new_comps[j].data);
32+          }
33+          opj_free(new_comps);
34+          new_comps = NULL;
35+          return OPJ_FALSE;
36+        }
37+
38         /* Direct use: */
39         if (cmap[i].mtyp == 0) {
40-            dst = new_comps[i].data;
41-            assert(dst);
42             for (j = 0; j < max; ++j) {
43                 dst[j] = src[j];
44             }
45         } else {
46             assert( i == pcol ); // probably wrong?
47-            dst = new_comps[i].data;
48-            assert(dst);
49             for (j = 0; j < max; ++j) {
50                 /* The index */
51                 if ((k = src[j]) < 0) {
52