mirror of
https://github.com/python-pillow/Pillow.git
synced 2025-01-12 18:26:17 +03:00
Malloc check, realloc, #1715
This commit is contained in:
parent
52d60cd096
commit
4b4ef5f1e2
|
@ -933,13 +933,16 @@ allocate(ImagingOutline outline, int extra)
|
||||||
if (outline->count + extra > outline->size) {
|
if (outline->count + extra > outline->size) {
|
||||||
/* expand outline buffer */
|
/* expand outline buffer */
|
||||||
outline->size += extra + 25;
|
outline->size += extra + 25;
|
||||||
if (!outline->edges)
|
if (!outline->edges) {
|
||||||
/* malloc check ok, uses calloc for overflow */
|
/* malloc check ok, uses calloc for overflow */
|
||||||
e = calloc(outline->size, sizeof(Edge));
|
e = calloc(outline->size, sizeof(Edge));
|
||||||
else
|
} else {
|
||||||
/* malloc check UNDONE, overflow, realloc to larger,
|
if (outline->size > SIZE_MAX / sizeof(Edge)) {
|
||||||
if it fails, it will leak memory */
|
return NULL;
|
||||||
|
}
|
||||||
|
/* malloc check ok, overflow checked above */
|
||||||
e = realloc(outline->edges, outline->size * sizeof(Edge));
|
e = realloc(outline->edges, outline->size * sizeof(Edge));
|
||||||
|
}
|
||||||
if (!e)
|
if (!e)
|
||||||
return NULL;
|
return NULL;
|
||||||
outline->edges = e;
|
outline->edges = e;
|
||||||
|
|
|
@ -371,7 +371,17 @@ ImagingIncrementalCodecPushBuffer(ImagingIncrementalCodec codec,
|
||||||
/* In this specific case, we append to a buffer we allocate ourselves */
|
/* In this specific case, we append to a buffer we allocate ourselves */
|
||||||
size_t old_size = codec->stream.end - codec->stream.buffer;
|
size_t old_size = codec->stream.end - codec->stream.buffer;
|
||||||
size_t new_size = codec->stream.end - codec->stream.buffer + bytes;
|
size_t new_size = codec->stream.end - codec->stream.buffer + bytes;
|
||||||
UINT8 *new = (UINT8 *)realloc (codec->stream.buffer, new_size);
|
UINT8 *new;
|
||||||
|
|
||||||
|
if (old_size > SIZE_MAX - bytes) {
|
||||||
|
codec->state->errcode = IMAGING_CODEC_MEMORY;
|
||||||
|
#ifndef _WIN32
|
||||||
|
pthread_mutex_unlock(&codec->data_mutex);
|
||||||
|
#endif
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
/* malloc check ok, overflow checked */
|
||||||
|
new = (UINT8 *)realloc (codec->stream.buffer, new_size);
|
||||||
|
|
||||||
if (!new) {
|
if (!new) {
|
||||||
codec->state->errcode = IMAGING_CODEC_MEMORY;
|
codec->state->errcode = IMAGING_CODEC_MEMORY;
|
||||||
|
|
|
@ -702,6 +702,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state,
|
||||||
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
|
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
|
||||||
|
|
||||||
if (buffer_size < tile_info.data_size) {
|
if (buffer_size < tile_info.data_size) {
|
||||||
|
/* malloc check ok, tile_info.data_size from openjpeg */
|
||||||
UINT8 *new = realloc (state->buffer, tile_info.data_size);
|
UINT8 *new = realloc (state->buffer, tile_info.data_size);
|
||||||
if (!new) {
|
if (!new) {
|
||||||
state->errcode = IMAGING_CODEC_MEMORY;
|
state->errcode = IMAGING_CODEC_MEMORY;
|
||||||
|
|
|
@ -58,10 +58,14 @@ tsize_t _tiffWriteProc(thandle_t hdata, tdata_t buf, tsize_t size) {
|
||||||
tdata_t new;
|
tdata_t new;
|
||||||
tsize_t newsize=state->size;
|
tsize_t newsize=state->size;
|
||||||
while (newsize < (size + state->size)) {
|
while (newsize < (size + state->size)) {
|
||||||
|
if (newsize > (tsize_t)SIZE_MAX - 64*1024){
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
newsize += 64*1024;
|
newsize += 64*1024;
|
||||||
// newsize*=2; // UNDONE, by 64k chunks?
|
// newsize*=2; // UNDONE, by 64k chunks?
|
||||||
}
|
}
|
||||||
TRACE(("Reallocing in write to %d bytes\n", (int)newsize));
|
TRACE(("Reallocing in write to %d bytes\n", (int)newsize));
|
||||||
|
/* malloc check ok, overflow checked above */
|
||||||
new = realloc(state->data, newsize);
|
new = realloc(state->data, newsize);
|
||||||
if (!new) {
|
if (!new) {
|
||||||
// fail out
|
// fail out
|
||||||
|
|
1
path.c
1
path.c
|
@ -306,6 +306,7 @@ path_compact(PyPathObject* self, PyObject* args)
|
||||||
self->count = j;
|
self->count = j;
|
||||||
|
|
||||||
/* shrink coordinate array */
|
/* shrink coordinate array */
|
||||||
|
/* malloc check ok, self->count is smaller than it was before */
|
||||||
self->xy = realloc(self->xy, 2 * self->count * sizeof(double));
|
self->xy = realloc(self->xy, 2 * self->count * sizeof(double));
|
||||||
|
|
||||||
return Py_BuildValue("i", i); /* number of removed vertices */
|
return Py_BuildValue("i", i); /* number of removed vertices */
|
||||||
|
|
Loading…
Reference in New Issue
Block a user