From 4b4ef5f1e2bf3c795fc60fbbf7c40f2a24043020 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Wed, 16 Mar 2016 09:01:25 -0700 Subject: [PATCH] Malloc check, realloc, #1715 --- libImaging/Draw.c | 11 +++++++---- libImaging/Incremental.c | 12 +++++++++++- libImaging/Jpeg2KDecode.c | 1 + libImaging/TiffDecode.c | 4 ++++ path.c | 1 + 5 files changed, 24 insertions(+), 5 deletions(-) diff --git a/libImaging/Draw.c b/libImaging/Draw.c index 9bc5800b9..32f024ed0 100644 --- a/libImaging/Draw.c +++ b/libImaging/Draw.c @@ -933,13 +933,16 @@ allocate(ImagingOutline outline, int extra) if (outline->count + extra > outline->size) { /* expand outline buffer */ outline->size += extra + 25; - if (!outline->edges) + if (!outline->edges) { /* malloc check ok, uses calloc for overflow */ e = calloc(outline->size, sizeof(Edge)); - else - /* malloc check UNDONE, overflow, realloc to larger, - if it fails, it will leak memory */ + } else { + if (outline->size > SIZE_MAX / sizeof(Edge)) { + return NULL; + } + /* malloc check ok, overflow checked above */ e = realloc(outline->edges, outline->size * sizeof(Edge)); + } if (!e) return NULL; outline->edges = e; diff --git a/libImaging/Incremental.c b/libImaging/Incremental.c index 68776992a..f0e55244c 100644 --- a/libImaging/Incremental.c +++ b/libImaging/Incremental.c @@ -371,7 +371,17 @@ ImagingIncrementalCodecPushBuffer(ImagingIncrementalCodec codec, /* In this specific case, we append to a buffer we allocate ourselves */ size_t old_size = codec->stream.end - codec->stream.buffer; size_t new_size = codec->stream.end - codec->stream.buffer + bytes; - UINT8 *new = (UINT8 *)realloc (codec->stream.buffer, new_size); + UINT8 *new; + + if (old_size > SIZE_MAX - bytes) { + codec->state->errcode = IMAGING_CODEC_MEMORY; +#ifndef _WIN32 + pthread_mutex_unlock(&codec->data_mutex); +#endif + return -1; + } + /* malloc check ok, overflow checked */ + new = (UINT8 *)realloc (codec->stream.buffer, new_size); if (!new) { codec->state->errcode = IMAGING_CODEC_MEMORY; diff --git a/libImaging/Jpeg2KDecode.c b/libImaging/Jpeg2KDecode.c index 07bee2b5e..239461c7c 100644 --- a/libImaging/Jpeg2KDecode.c +++ b/libImaging/Jpeg2KDecode.c @@ -702,6 +702,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state, tile_info.y1 = (tile_info.y1 + correction) >> context->reduce; if (buffer_size < tile_info.data_size) { + /* malloc check ok, tile_info.data_size from openjpeg */ UINT8 *new = realloc (state->buffer, tile_info.data_size); if (!new) { state->errcode = IMAGING_CODEC_MEMORY; diff --git a/libImaging/TiffDecode.c b/libImaging/TiffDecode.c index 3df48c7ba..8793f2b34 100644 --- a/libImaging/TiffDecode.c +++ b/libImaging/TiffDecode.c @@ -58,10 +58,14 @@ tsize_t _tiffWriteProc(thandle_t hdata, tdata_t buf, tsize_t size) { tdata_t new; tsize_t newsize=state->size; while (newsize < (size + state->size)) { + if (newsize > (tsize_t)SIZE_MAX - 64*1024){ + return 0; + } newsize += 64*1024; // newsize*=2; // UNDONE, by 64k chunks? } TRACE(("Reallocing in write to %d bytes\n", (int)newsize)); + /* malloc check ok, overflow checked above */ new = realloc(state->data, newsize); if (!new) { // fail out diff --git a/path.c b/path.c index cf451e03a..824fbdd89 100644 --- a/path.c +++ b/path.c @@ -306,6 +306,7 @@ path_compact(PyPathObject* self, PyObject* args) self->count = j; /* shrink coordinate array */ + /* malloc check ok, self->count is smaller than it was before */ self->xy = realloc(self->xy, 2 * self->count * sizeof(double)); return Py_BuildValue("i", i); /* number of removed vertices */