Malloc check, realloc, #1715

libImaging/Draw.c

@@ -933,13 +933,16 @@ allocate(ImagingOutline outline, int extra)
     if (outline->count + extra > outline->size) {
         /* expand outline buffer */
         outline->size += extra + 25;
-        if (!outline->edges)
+        if (!outline->edges) {
             /* malloc check ok, uses calloc for overflow */
             e = calloc(outline->size, sizeof(Edge));
-        else
+        } else {
-            /* malloc check UNDONE, overflow, realloc to larger, 
+            if (outline->size > SIZE_MAX / sizeof(Edge)) {
-               if it fails, it will leak memory */
+                return NULL;
+            }
+            /* malloc check ok, overflow checked above */
             e = realloc(outline->edges, outline->size * sizeof(Edge));
+        }
         if (!e)
             return NULL;
         outline->edges = e;

libImaging/Incremental.c

@@ -371,7 +371,17 @@ ImagingIncrementalCodecPushBuffer(ImagingIncrementalCodec codec,
     /* In this specific case, we append to a buffer we allocate ourselves */
     size_t old_size = codec->stream.end - codec->stream.buffer;
     size_t new_size = codec->stream.end - codec->stream.buffer + bytes;
-    UINT8 *new = (UINT8 *)realloc (codec->stream.buffer, new_size);
+    UINT8 *new;
+    
+    if (old_size > SIZE_MAX - bytes) {
+       codec->state->errcode = IMAGING_CODEC_MEMORY;
+#ifndef _WIN32
+      pthread_mutex_unlock(&codec->data_mutex);
+#endif
+      return -1;
+    }       
+    /* malloc check ok, overflow checked */
+    new = (UINT8 *)realloc (codec->stream.buffer, new_size);
 
     if (!new) {
       codec->state->errcode = IMAGING_CODEC_MEMORY;

libImaging/Jpeg2KDecode.c

@@ -702,6 +702,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state,
         tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
 
         if (buffer_size < tile_info.data_size) {
+            /* malloc check ok, tile_info.data_size from openjpeg */
             UINT8 *new = realloc (state->buffer, tile_info.data_size);
             if (!new) {
                 state->errcode = IMAGING_CODEC_MEMORY;

libImaging/TiffDecode.c

@@ -58,10 +58,14 @@ tsize_t _tiffWriteProc(thandle_t hdata, tdata_t buf, tsize_t size) {
 		tdata_t new;
 		tsize_t newsize=state->size;
 		while (newsize < (size + state->size)) {
+            if (newsize > (tsize_t)SIZE_MAX - 64*1024){
+                return 0;
+            }
 			newsize += 64*1024;
 			// newsize*=2; // UNDONE, by 64k chunks?
 		}
 		TRACE(("Reallocing in write to %d bytes\n", (int)newsize));
+        /* malloc check ok, overflow checked above */
 		new = realloc(state->data, newsize);
 		if (!new) {
 			// fail out

path.c

@@ -306,6 +306,7 @@ path_compact(PyPathObject* self, PyObject* args)
     self->count = j;
 
     /* shrink coordinate array */
+    /* malloc check ok, self->count is smaller than it was before */
     self->xy = realloc(self->xy, 2 * self->count * sizeof(double));
 
     return Py_BuildValue("i", i); /* number of removed vertices */