Malloc check, #1715

This commit is contained in:
wiredfool 2016-03-16 04:47:18 -07:00
parent c589ae6bcf
commit 52d60cd096
17 changed files with 189 additions and 62 deletions

View File

@ -362,9 +362,20 @@ getbands(const char* mode)
#define TYPE_DOUBLE (0x400|sizeof(double)) #define TYPE_DOUBLE (0x400|sizeof(double))
static void* static void*
getlist(PyObject* arg, int* length, const char* wrong_length, int type) getlist(PyObject* arg, Py_ssize_t* length, const char* wrong_length, int type)
{ {
int i, n, itemp; /* - allocates and returns a c array of the items in the
python sequence arg.
- the size of the returned array is in length
- all of the arg items must be numeric items of the type
specified in type
- sequence length is checked against the length parameter IF
an error parameter is passed in wrong_length
- caller is responsible for freeing the memory
*/
Py_ssize_t i, n;
int itemp;
double dtemp; double dtemp;
void* list; void* list;
PyObject* seq; PyObject* seq;
@ -381,7 +392,9 @@ getlist(PyObject* arg, int* length, const char* wrong_length, int type)
return NULL; return NULL;
} }
list = malloc(n * (type & 0xff)); /* malloc check ok, type & ff is just a sizeof(something)
calloc checks for overflow */
list = calloc(n, type & 0xff);
if (!list) if (!list)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -845,7 +858,7 @@ static PyObject*
_filter(ImagingObject* self, PyObject* args) _filter(ImagingObject* self, PyObject* args)
{ {
PyObject* imOut; PyObject* imOut;
int kernelsize; Py_ssize_t kernelsize;
FLOAT32* kerneldata; FLOAT32* kerneldata;
int xsize, ysize; int xsize, ysize;
@ -859,7 +872,7 @@ _filter(ImagingObject* self, PyObject* args)
kerneldata = getlist(kernel, &kernelsize, NULL, TYPE_FLOAT32); kerneldata = getlist(kernel, &kernelsize, NULL, TYPE_FLOAT32);
if (!kerneldata) if (!kerneldata)
return NULL; return NULL;
if (kernelsize != xsize * ysize) { if (kernelsize != (Py_ssize_t) xsize * (Py_ssize_t) ysize) {
free(kerneldata); free(kerneldata);
return ImagingError_ValueError("bad kernel size"); return ImagingError_ValueError("bad kernel size");
} }
@ -1148,8 +1161,8 @@ _point(ImagingObject* self, PyObject* args)
{ {
static const char* wrong_number = "wrong number of lut entries"; static const char* wrong_number = "wrong number of lut entries";
int n, i; Py_ssize_t n;
int bands; int i, bands;
Imaging im; Imaging im;
PyObject* list; PyObject* list;
@ -1664,7 +1677,7 @@ _transform2(ImagingObject* self, PyObject* args)
Imaging imIn; Imaging imIn;
Imaging imOut; Imaging imOut;
int n; Py_ssize_t n;
double *a; double *a;
ImagingObject* imagep; ImagingObject* imagep;
@ -1920,6 +1933,7 @@ _getprojection(ImagingObject* self, PyObject* args)
unsigned char* yprofile; unsigned char* yprofile;
PyObject* result; PyObject* result;
/* malloc check ok */
xprofile = malloc(self->image->xsize); xprofile = malloc(self->image->xsize);
yprofile = malloc(self->image->ysize); yprofile = malloc(self->image->ysize);
@ -2731,7 +2745,7 @@ _draw_polygon(ImagingDrawObject* self, PyObject* args)
} }
/* Copy list of vertices to array */ /* Copy list of vertices to array */
ixy = (int*) malloc(n * 2 * sizeof(int)); ixy = (int*) calloc(n, 2 * sizeof(int));
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
ixy[i+i] = (int) xy[i+i]; ixy[i+i] = (int) xy[i+i];

View File

@ -188,8 +188,13 @@ _setimage(ImagingDecoderObject* decoder, PyObject* args)
/* Allocate memory buffer (if bits field is set) */ /* Allocate memory buffer (if bits field is set) */
if (state->bits > 0) { if (state->bits > 0) {
if (!state->bytes) if (!state->bytes) {
if (state->xsize > ((SIZE_MAX / state->bits)-7)){
return PyErr_NoMemory();
}
state->bytes = (state->bits * state->xsize+7)/8; state->bytes = (state->bits * state->xsize+7)/8;
}
/* malloc check ok, oveflow checked above */
state->buffer = (UINT8*) malloc(state->bytes); state->buffer = (UINT8*) malloc(state->bytes);
if (!state->buffer) if (!state->buffer)
return PyErr_NoMemory(); return PyErr_NoMemory();

View File

@ -159,6 +159,7 @@ _encode_to_file(ImagingEncoderObject* encoder, PyObject* args)
return NULL; return NULL;
/* Allocate an encoder buffer */ /* Allocate an encoder buffer */
/* malloc check ok, either constant int, or checked by PyArg_ParseTuple */
buf = (UINT8*) malloc(bufsize); buf = (UINT8*) malloc(bufsize);
if (!buf) if (!buf)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -233,7 +234,11 @@ _setimage(ImagingEncoderObject* encoder, PyObject* args)
/* Allocate memory buffer (if bits field is set) */ /* Allocate memory buffer (if bits field is set) */
if (state->bits > 0) { if (state->bits > 0) {
if (state->xsize > ((SIZE_MAX / state->bits)-7)) {
return PyErr_NoMemory();
}
state->bytes = (state->bits * state->xsize+7)/8; state->bytes = (state->bits * state->xsize+7)/8;
/* malloc check ok, overflow checked above */
state->buffer = (UINT8*) malloc(state->bytes); state->buffer = (UINT8*) malloc(state->bytes);
if (!state->buffer) if (!state->buffer)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -482,6 +487,7 @@ PyImaging_ZipEncoderNew(PyObject* self, PyObject* args)
free this memory later, so this function (and several others here) free this memory later, so this function (and several others here)
leaks. */ leaks. */
if (dictionary && dictionary_size > 0) { if (dictionary && dictionary_size > 0) {
/* malloc check ok, size comes from PyArg_ParseTuple */
char* p = malloc(dictionary_size); char* p = malloc(dictionary_size);
if (!p) if (!p)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -559,6 +565,7 @@ static unsigned int* get_qtables_arrays(PyObject* qtables, int* qtablesLen) {
Py_DECREF(tables); Py_DECREF(tables);
return NULL; return NULL;
} }
/* malloc check ok, num_tables <4, DCTSIZE2 == 64 from jpeglib.h */
qarrays = (unsigned int*) malloc(num_tables * DCTSIZE2 * sizeof(unsigned int)); qarrays = (unsigned int*) malloc(num_tables * DCTSIZE2 * sizeof(unsigned int));
if (!qarrays) { if (!qarrays) {
Py_DECREF(tables); Py_DECREF(tables);
@ -634,6 +641,7 @@ PyImaging_JpegEncoderNew(PyObject* self, PyObject* args)
qarrays = get_qtables_arrays(qtables, &qtablesLen); qarrays = get_qtables_arrays(qtables, &qtablesLen);
if (extra && extra_size > 0) { if (extra && extra_size > 0) {
/* malloc check ok, length is from python parsearg */
char* p = malloc(extra_size); // Freed in JpegEncode, Case 5 char* p = malloc(extra_size); // Freed in JpegEncode, Case 5
if (!p) if (!p)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -643,6 +651,7 @@ PyImaging_JpegEncoderNew(PyObject* self, PyObject* args)
extra = NULL; extra = NULL;
if (rawExif && rawExifLen > 0) { if (rawExif && rawExifLen > 0) {
/* malloc check ok, length is from python parsearg */
char* pp = malloc(rawExifLen); // Freed in JpegEncode, Case 5 char* pp = malloc(rawExifLen); // Freed in JpegEncode, Case 5
if (!pp) if (!pp)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -757,15 +766,16 @@ PyImaging_LibTiffEncoderNew(PyObject* self, PyObject* args)
(ttag_t) PyInt_AsLong(key), (ttag_t) PyInt_AsLong(key),
PyBytes_AsString(value)); PyBytes_AsString(value));
} else if (PyTuple_Check(value)) { } else if (PyTuple_Check(value)) {
int len,i; Py_ssize_t len,i;
float *floatav; float *floatav;
int *intav; int *intav;
TRACE(("Setting from Tuple: %d \n", (int)PyInt_AsLong(key))); TRACE(("Setting from Tuple: %d \n", (int)PyInt_AsLong(key)));
len = (int)PyTuple_Size(value); len = PyTuple_Size(value);
if (len) { if (len) {
if (PyInt_Check(PyTuple_GetItem(value,0))) { if (PyInt_Check(PyTuple_GetItem(value,0))) {
TRACE((" %d elements, setting as ints \n", len)); TRACE((" %d elements, setting as ints \n", (int)len));
intav = malloc(sizeof(int)*len); /* malloc check ok, calloc checks for overflow */
intav = calloc(len, sizeof(int));
if (intav) { if (intav) {
for (i=0;i<len;i++) { for (i=0;i<len;i++) {
intav[i] = (int)PyInt_AsLong(PyTuple_GetItem(value,i)); intav[i] = (int)PyInt_AsLong(PyTuple_GetItem(value,i));
@ -776,8 +786,9 @@ PyImaging_LibTiffEncoderNew(PyObject* self, PyObject* args)
free(intav); free(intav);
} }
} else if (PyFloat_Check(PyTuple_GetItem(value,0))) { } else if (PyFloat_Check(PyTuple_GetItem(value,0))) {
TRACE((" %d elements, setting as floats \n", len)); TRACE((" %d elements, setting as floats \n", (int)len));
floatav = malloc(sizeof(float)*len); /* malloc check ok, calloc checks for overflow */
floatav = calloc(len, sizeof(float));
if (floatav) { if (floatav) {
for (i=0;i<len;i++) { for (i=0;i<len;i++) {
floatav[i] = (float)PyFloat_AsDouble(PyTuple_GetItem(value,i)); floatav[i] = (float)PyFloat_AsDouble(PyTuple_GetItem(value,i));

View File

@ -70,9 +70,11 @@ ImagingNewDIB(const char *mode, int xsize, int ysize)
return (ImagingDIB) ImagingError_ModeError(); return (ImagingDIB) ImagingError_ModeError();
/* Create DIB context and info header */ /* Create DIB context and info header */
/* malloc check ok, small constant allocation */
dib = (ImagingDIB) malloc(sizeof(*dib)); dib = (ImagingDIB) malloc(sizeof(*dib));
if (!dib) if (!dib)
return (ImagingDIB) ImagingError_MemoryError(); return (ImagingDIB) ImagingError_MemoryError();
/* malloc check ok, small constant allocation */
dib->info = (BITMAPINFO*) malloc(sizeof(BITMAPINFOHEADER) + dib->info = (BITMAPINFO*) malloc(sizeof(BITMAPINFOHEADER) +
256 * sizeof(RGBQUAD)); 256 * sizeof(RGBQUAD));
if (!dib->info) { if (!dib->info) {

View File

@ -434,7 +434,8 @@ polygon_generic(Imaging im, int n, Edge *e, int ink, int eofill,
} }
/* Initialize the edge table and find polygon boundaries */ /* Initialize the edge table and find polygon boundaries */
edge_table = malloc(sizeof(Edge*) * n); /* malloc check ok, using calloc */
edge_table = calloc(n, sizeof(Edge*));
if (!edge_table) { if (!edge_table) {
return -1; return -1;
} }
@ -462,7 +463,8 @@ polygon_generic(Imaging im, int n, Edge *e, int ink, int eofill,
} }
/* Process the edge table with a scan line searching for intersections */ /* Process the edge table with a scan line searching for intersections */
xx = malloc(sizeof(float) * edge_count * 2); /* malloc check ok, using calloc */
xx = calloc(edge_count * 2, sizeof(float));
if (!xx) { if (!xx) {
free(edge_table); free(edge_table);
return -1; return -1;
@ -700,7 +702,8 @@ ImagingDrawPolygon(Imaging im, int count, int* xy, const void* ink_,
if (fill) { if (fill) {
/* Build edge list */ /* Build edge list */
Edge* e = malloc(count * sizeof(Edge)); /* malloc check ok, using calloc */
Edge* e = calloc(count, sizeof(Edge));
if (!e) { if (!e) {
(void) ImagingError_MemoryError(); (void) ImagingError_MemoryError();
return -1; return -1;
@ -772,7 +775,8 @@ ellipse(Imaging im, int x0, int y0, int x1, int y1,
if (mode != ARC && fill) { if (mode != ARC && fill) {
/* Build edge list */ /* Build edge list */
Edge* e = malloc((end - start + 3) * sizeof(Edge)); /* malloc check UNDONE, FLOAT? */
Edge* e = calloc((end - start + 3), sizeof(Edge));
if (!e) { if (!e) {
ImagingError_MemoryError(); ImagingError_MemoryError();
return -1; return -1;
@ -930,8 +934,11 @@ allocate(ImagingOutline outline, int extra)
/* expand outline buffer */ /* expand outline buffer */
outline->size += extra + 25; outline->size += extra + 25;
if (!outline->edges) if (!outline->edges)
e = malloc(outline->size * sizeof(Edge)); /* malloc check ok, uses calloc for overflow */
e = calloc(outline->size, sizeof(Edge));
else else
/* malloc check UNDONE, overflow, realloc to larger,
if it fails, it will leak memory */
e = realloc(outline->edges, outline->size * sizeof(Edge)); e = realloc(outline->edges, outline->size * sizeof(Edge));
if (!e) if (!e)
return NULL; return NULL;

View File

@ -713,7 +713,8 @@ ImagingScaleAffine(Imaging imOut, Imaging imIn,
if (y1 > imOut->ysize) if (y1 > imOut->ysize)
y1 = imOut->ysize; y1 = imOut->ysize;
xintab = (int*) malloc(imOut->xsize * sizeof(int)); /* malloc check ok, uses calloc for overflow */
xintab = (int*) calloc(imOut->xsize, sizeof(int));
if (!xintab) { if (!xintab) {
ImagingDelete(imOut); ImagingDelete(imOut);
return (Imaging) ImagingError_MemoryError(); return (Imaging) ImagingError_MemoryError();

View File

@ -61,6 +61,7 @@ emit(GIFENCODERSTATE *context, int byte)
block = context->free; block = context->free;
context->free = NULL; context->free = NULL;
} else { } else {
/* malloc check ok, small constant allocation */
block = malloc(sizeof(GIFENCODERBLOCK)); block = malloc(sizeof(GIFENCODERBLOCK));
if (!block) if (!block)
return 0; return 0;

View File

@ -168,6 +168,7 @@ ImagingIncrementalCodecCreate(ImagingIncrementalCodecEntry codec_entry,
int seekable, int seekable,
int fd) int fd)
{ {
/* malloc check ok, small constant allocation */
ImagingIncrementalCodec codec = (ImagingIncrementalCodec)malloc(sizeof(struct ImagingIncrementalCodecStruct)); ImagingIncrementalCodec codec = (ImagingIncrementalCodec)malloc(sizeof(struct ImagingIncrementalCodecStruct));
codec->entry = codec_entry; codec->entry = codec_entry;

View File

@ -103,7 +103,7 @@ ImagingPaletteDuplicate(ImagingPalette palette)
if (!palette) if (!palette)
return NULL; return NULL;
/* malloc check ok, small constant allocation */
new_palette = malloc(sizeof(struct ImagingPaletteInstance)); new_palette = malloc(sizeof(struct ImagingPaletteInstance));
if (!new_palette) if (!new_palette)
return (ImagingPalette) ImagingError_MemoryError(); return (ImagingPalette) ImagingError_MemoryError();
@ -288,6 +288,7 @@ ImagingPaletteCachePrepare(ImagingPalette palette)
/* The cache is 512k. It might be a good idea to break it /* The cache is 512k. It might be a good idea to break it
up into a pointer array (e.g. an 8-bit image?) */ up into a pointer array (e.g. an 8-bit image?) */
/* malloc check ok, small constant allocation */
palette->cache = (INT16*) malloc(entries * sizeof(INT16)); palette->cache = (INT16*) malloc(entries * sizeof(INT16));
if (!palette->cache) { if (!palette->cache) {
(void) ImagingError_MemoryError(); (void) ImagingError_MemoryError();

View File

@ -150,6 +150,7 @@ create_pixel_hash(Pixel *pixelData,uint32_t nPixels)
uint32_t timer,timer2,timer3; uint32_t timer,timer2,timer3;
#endif #endif
/* malloc check ok, small constant allocation */
d=malloc(sizeof(PixelHashData)); d=malloc(sizeof(PixelHashData));
if (!d) return NULL; if (!d) return NULL;
hash=hashtable_new(pixel_hash,pixel_cmp); hash=hashtable_new(pixel_hash,pixel_cmp);
@ -234,6 +235,7 @@ hash_to_list(const HashTable *h, const Pixel pixel, const uint32_t count, void *
PIXEL_SCALE(&pixel,&q,d->scale); PIXEL_SCALE(&pixel,&q,d->scale);
/* malloc check ok, small constant allocation */
p=malloc(sizeof(PixelList)); p=malloc(sizeof(PixelList));
if (!p) return; if (!p) return;
@ -557,6 +559,7 @@ split(BoxNode *node)
exit(1); exit(1);
} }
#endif #endif
/* malloc check ok, small constant allocation */
left=malloc(sizeof(BoxNode)); left=malloc(sizeof(BoxNode));
right=malloc(sizeof(BoxNode)); right=malloc(sizeof(BoxNode));
if (!left||!right) { if (!left||!right) {
@ -613,6 +616,7 @@ median_cut(PixelList *hl[3],
BoxNode *thisNode; BoxNode *thisNode;
h=ImagingQuantHeapNew(box_heap_cmp); h=ImagingQuantHeapNew(box_heap_cmp);
/* malloc check ok, small constant allocation */
root=malloc(sizeof(BoxNode)); root=malloc(sizeof(BoxNode));
if (!root) { ImagingQuantHeapFree(h); return NULL; } if (!root) { ImagingQuantHeapFree(h); return NULL; }
for(i=0;i<3;i++) { for(i=0;i<3;i++) {
@ -954,15 +958,16 @@ compute_palette_from_median_cut(
uint32_t *count; uint32_t *count;
*palette=NULL; *palette=NULL;
if (!(count=malloc(sizeof(uint32_t)*nPaletteEntries))) { /* malloc check ok, using calloc */
if (!(count=calloc(nPaletteEntries, sizeof(uint32_t)))) {
return 0; return 0;
} }
memset(count,0,sizeof(uint32_t)*nPaletteEntries);
for(i=0;i<3;i++) { for(i=0;i<3;i++) {
avg[i]=NULL; avg[i]=NULL;
} }
for(i=0;i<3;i++) { for(i=0;i<3;i++) {
if (!(avg[i]=malloc(sizeof(uint32_t)*nPaletteEntries))) { /* malloc check ok, using calloc */
if (!(avg[i]=calloc(nPaletteEntries, sizeof(uint32_t)))) {
for(i=0;i<3;i++) { for(i=0;i<3;i++) {
if (avg[i]) free (avg[i]); if (avg[i]) free (avg[i]);
} }
@ -970,9 +975,6 @@ compute_palette_from_median_cut(
return 0; return 0;
} }
} }
for(i=0;i<3;i++) {
memset(avg[i],0,sizeof(uint32_t)*nPaletteEntries);
}
for (i=0;i<nPixels;i++) { for (i=0;i<nPixels;i++) {
#ifdef TEST_SPLIT_INTEGRITY #ifdef TEST_SPLIT_INTEGRITY
if (!(i%100)) { printf ("%05d\r",i); fflush(stdout); } if (!(i%100)) { printf ("%05d\r",i); fflush(stdout); }
@ -1004,7 +1006,8 @@ compute_palette_from_median_cut(
avg[2][paletteEntry]+=pixelData[i].c.b; avg[2][paletteEntry]+=pixelData[i].c.b;
count[paletteEntry]++; count[paletteEntry]++;
} }
p=malloc(sizeof(Pixel)*nPaletteEntries); /* malloc check ok, using calloc */
p=calloc(nPaletteEntries, sizeof(Pixel));
if (!p) { if (!p) {
for(i=0;i<3;i++) free (avg[i]); for(i=0;i<3;i++) free (avg[i]);
free(count); free(count);
@ -1089,22 +1092,30 @@ k_means(Pixel *pixelData,
uint32_t **avgDistSortKey; uint32_t **avgDistSortKey;
int changes; int changes;
int built=0; int built=0;
/* malloc check ok, using calloc */
if (!(count=malloc(sizeof(uint32_t)*nPaletteEntries))) { if (!(count=calloc(nPaletteEntries, sizeof(uint32_t)))) {
return 0; return 0;
} }
for(i=0;i<3;i++) { for(i=0;i<3;i++) {
avg[i]=NULL; avg[i]=NULL;
} }
for(i=0;i<3;i++) { for(i=0;i<3;i++) {
if (!(avg[i]=malloc(sizeof(uint32_t)*nPaletteEntries))) { /* malloc check ok, using calloc */
if (!(avg[i]=calloc(nPaletteEntries, sizeof(uint32_t)))) {
goto error_1; goto error_1;
} }
} }
avgDist=malloc(sizeof(uint32_t)*nPaletteEntries*nPaletteEntries);
/* this is enough of a check, since the multiplication n*size is done above */
if (nPaletteEntries > SIZE_MAX / (nPaletteEntries * sizeof(uint32_t))) {
goto error_1;
}
/* malloc check ok, using calloc, checking n*n above */
avgDist=calloc(nPaletteEntries*nPaletteEntries, sizeof(uint32_t));
if (!avgDist) { goto error_1; } if (!avgDist) { goto error_1; }
avgDistSortKey=malloc(sizeof(uint32_t *)*nPaletteEntries*nPaletteEntries); /* malloc check ok, using calloc, checking n*n above */
avgDistSortKey=calloc(nPaletteEntries*nPaletteEntries, sizeof(uint32_t *));
if (!avgDistSortKey) { goto error_2; } if (!avgDistSortKey) { goto error_2; }
#ifndef NO_OUTPUT #ifndef NO_OUTPUT
@ -1251,13 +1262,20 @@ quantize(Pixel *pixelData,
free_box_tree(root); free_box_tree(root);
root=NULL; root=NULL;
qp=malloc(sizeof(uint32_t)*nPixels); /* malloc check ok, using calloc for overflow */
qp=calloc(nPixels, sizeof(uint32_t));
if (!qp) { goto error_4; } if (!qp) { goto error_4; }
avgDist=malloc(sizeof(uint32_t)*nPaletteEntries*nPaletteEntries); if ((nPaletteEntries > SIZE_MAX / nPaletteEntries ) ||
(nPaletteEntries > SIZE_MAX / (nPaletteEntries * sizeof(uint32_t)))) {
goto error_5;
}
/* malloc check ok, using calloc for overflow, check of n*n above */
avgDist=calloc(nPaletteEntries*nPaletteEntries, sizeof(uint32_t));
if (!avgDist) { goto error_5; } if (!avgDist) { goto error_5; }
avgDistSortKey=malloc(sizeof(uint32_t *)*nPaletteEntries*nPaletteEntries); /* malloc check ok, using calloc for overflow, check of n*n above */
avgDistSortKey=calloc(nPaletteEntries*nPaletteEntries, sizeof(uint32_t *));
if (!avgDistSortKey) { goto error_6; } if (!avgDistSortKey) { goto error_6; }
if (!build_distance_tables(avgDist,avgDistSortKey,p,nPaletteEntries)) { if (!build_distance_tables(avgDist,avgDistSortKey,p,nPaletteEntries)) {
@ -1400,7 +1418,8 @@ quantize2(Pixel *pixelData,
uint32_t *avgDist; uint32_t *avgDist;
uint32_t **avgDistSortKey; uint32_t **avgDistSortKey;
p=malloc(sizeof(Pixel)*nQuantPixels); /* malloc check ok, using calloc */
p=calloc(nQuantPixels, sizeof(Pixel));
if (!p) return 0; if (!p) return 0;
mean[0]=mean[1]=mean[2]=0; mean[0]=mean[1]=mean[2]=0;
h=hashtable_new(unshifted_pixel_hash,unshifted_pixel_cmp); h=hashtable_new(unshifted_pixel_hash,unshifted_pixel_cmp);
@ -1422,13 +1441,21 @@ quantize2(Pixel *pixelData,
} }
hashtable_free(h); hashtable_free(h);
qp=malloc(sizeof(uint32_t)*nPixels); /* malloc check ok, using calloc */
qp=calloc(nPixels, sizeof(uint32_t));
if (!qp) { goto error_1; } if (!qp) { goto error_1; }
avgDist=malloc(sizeof(uint32_t)*nQuantPixels*nQuantPixels); if ((nQuantPixels > SIZE_MAX / nQuantPixels ) ||
(nQuantPixels > SIZE_MAX / (nQuantPixels * sizeof(uint32_t)))) {
goto error_2;
}
/* malloc check ok, using calloc for overflow, check of n*n above */
avgDist=calloc(nQuantPixels*nQuantPixels, sizeof(uint32_t));
if (!avgDist) { goto error_2; } if (!avgDist) { goto error_2; }
avgDistSortKey=malloc(sizeof(uint32_t *)*nQuantPixels*nQuantPixels); /* malloc check ok, using calloc for overflow, check of n*n above */
avgDistSortKey=calloc(nQuantPixels*nQuantPixels, sizeof(uint32_t *));
if (!avgDistSortKey) { goto error_3; } if (!avgDistSortKey) { goto error_3; }
if (!build_distance_tables(avgDist,avgDistSortKey,p,nQuantPixels)) { if (!build_distance_tables(avgDist,avgDistSortKey,p,nQuantPixels)) {
@ -1488,7 +1515,12 @@ ImagingQuantize(Imaging im, int colors, int mode, int kmeans)
if (!strcmp(im->mode, "RGBA") && mode != 2 && mode != 3) if (!strcmp(im->mode, "RGBA") && mode != 2 && mode != 3)
return ImagingError_ModeError(); return ImagingError_ModeError();
p = malloc(sizeof(Pixel) * im->xsize * im->ysize); if ((im->xsize > SIZE_MAX / im->ysize) ||
(im->xsize > SIZE_MAX / (im->ysize * sizeof(Pixel)))) {
return ImagingError_MemoryError();
}
/* malloc check ok, using calloc for final overflow, x*y above */
p = calloc(im->xsize * im->ysize, sizeof(Pixel));
if (!p) if (!p)
return ImagingError_MemoryError(); return ImagingError_MemoryError();

View File

@ -47,7 +47,12 @@ static int _heap_grow(Heap *h,int newsize) {
void *newheap; void *newheap;
if (!newsize) newsize=h->heapsize<<1; if (!newsize) newsize=h->heapsize<<1;
if (newsize<h->heapsize) return 0; if (newsize<h->heapsize) return 0;
newheap=malloc(sizeof(void *)*newsize); if (newsize > ((int)SIZE_MAX) / sizeof(void *)){
return 0;
}
/* malloc check ok, using calloc for overflow, also checking
above due to memcpy below*/
newheap=calloc(newsize, sizeof(void *));
if (!newheap) return 0; if (!newheap) return 0;
memcpy(newheap,h->heap,sizeof(void *)*h->heapsize); memcpy(newheap,h->heap,sizeof(void *)*h->heapsize);
free(h->heap); free(h->heap);
@ -132,11 +137,16 @@ int ImagingQuantHeapTop(Heap *h,void **r) {
Heap *ImagingQuantHeapNew(HeapCmpFunc cf) { Heap *ImagingQuantHeapNew(HeapCmpFunc cf) {
Heap *h; Heap *h;
/* malloc check ok, small constant allocation */
h=malloc(sizeof(Heap)); h=malloc(sizeof(Heap));
if (!h) return NULL; if (!h) return NULL;
h->heapsize=INITIAL_SIZE; h->heapsize=INITIAL_SIZE;
h->heap=malloc(sizeof(void *)*h->heapsize); /* malloc check ok, using calloc for overflow */
if (!h->heap) { free(h); return NULL; } h->heap=calloc(h->heapsize, sizeof(void *));
if (!h->heap) {
free(h);
return NULL;
}
h->heapcount=0; h->heapcount=0;
h->cf=cf; h->cf=cf;
return h; return h;

View File

@ -53,6 +53,7 @@ static ColorCube
new_color_cube(int r, int g, int b, int a) { new_color_cube(int r, int g, int b, int a) {
ColorCube cube; ColorCube cube;
/* malloc check ok, small constant allocation */
cube = malloc(sizeof(struct _ColorCube)); cube = malloc(sizeof(struct _ColorCube));
if (!cube) return NULL; if (!cube) return NULL;
@ -154,7 +155,11 @@ compare_bucket_count(const ColorBucket a, const ColorBucket b) {
static ColorBucket static ColorBucket
create_sorted_color_palette(const ColorCube cube) { create_sorted_color_palette(const ColorCube cube) {
ColorBucket buckets; ColorBucket buckets;
buckets = malloc(sizeof(struct _ColorBucket)*cube->size); if (cube->size > SIZE_MAX / sizeof(struct _ColorBucket)) {
return NULL;
}
/* malloc check ok, calloc + overflow check above for memcpy */
buckets = calloc(cube->size, sizeof(struct _ColorBucket));
if (!buckets) return NULL; if (!buckets) return NULL;
memcpy(buckets, cube->buckets, sizeof(struct _ColorBucket)*cube->size); memcpy(buckets, cube->buckets, sizeof(struct _ColorBucket)*cube->size);
@ -280,7 +285,15 @@ void add_lookup_buckets(ColorCube cube, ColorBucket palette, long nColors, long
ColorBucket ColorBucket
combined_palette(ColorBucket bucketsA, long nBucketsA, ColorBucket bucketsB, long nBucketsB) { combined_palette(ColorBucket bucketsA, long nBucketsA, ColorBucket bucketsB, long nBucketsB) {
ColorBucket result; ColorBucket result;
result = malloc(sizeof(struct _ColorBucket)*(nBucketsA+nBucketsB)); if (nBucketsA > SIZE_MAX - nBucketsB ||
(nBucketsA+nBucketsB) > SIZE_MAX / sizeof(struct _ColorBucket)) {
return NULL;
}
/* malloc check ok, overflow check above */
result = calloc(nBucketsA + nBucketsB, sizeof(struct _ColorBucket));
if (!result) {
return NULL;
}
memcpy(result, bucketsA, sizeof(struct _ColorBucket) * nBucketsA); memcpy(result, bucketsA, sizeof(struct _ColorBucket) * nBucketsA);
memcpy(&result[nBucketsA], bucketsB, sizeof(struct _ColorBucket) * nBucketsB); memcpy(&result[nBucketsA], bucketsB, sizeof(struct _ColorBucket) * nBucketsB);
return result; return result;
@ -291,7 +304,8 @@ create_palette_array(const ColorBucket palette, unsigned int paletteLength) {
Pixel *paletteArray; Pixel *paletteArray;
unsigned int i; unsigned int i;
paletteArray = malloc(sizeof(Pixel)*paletteLength); /* malloc check ok, calloc for overflow */
paletteArray = calloc(paletteLength, sizeof(Pixel));
if (!paletteArray) return NULL; if (!paletteArray) return NULL;
for (i=0; i<paletteLength; i++) { for (i=0; i<paletteLength; i++) {
@ -405,6 +419,7 @@ int quantize_octree(Pixel *pixelData,
paletteBucketsFine = NULL; paletteBucketsFine = NULL;
free(paletteBucketsCoarse); free(paletteBucketsCoarse);
paletteBucketsCoarse = NULL; paletteBucketsCoarse = NULL;
if (!paletteBuckets) goto error;
/* add all coarse colors to our coarse lookup cube. */ /* add all coarse colors to our coarse lookup cube. */
coarseLookupCube = new_color_cube(cubeBits[4], cubeBits[5], coarseLookupCube = new_color_cube(cubeBits[4], cubeBits[5],
@ -422,7 +437,8 @@ int quantize_octree(Pixel *pixelData,
add_lookup_buckets(lookupCube, paletteBuckets, nFineColors, nCoarseColors); add_lookup_buckets(lookupCube, paletteBuckets, nFineColors, nCoarseColors);
/* create result pixels and map palette indices */ /* create result pixels and map palette indices */
qp = malloc(sizeof(Pixel)*nPixels); /* malloc check ok, calloc for overflow */
qp = calloc(nPixels, sizeof(Pixel));
if (!qp) goto error; if (!qp) goto error;
map_image_pixels(pixelData, nPixels, lookupCube, qp); map_image_pixels(pixelData, nPixels, lookupCube, qp);

View File

@ -60,6 +60,12 @@ ImagingRankFilter(Imaging im, int size, int rank)
if (!(size & 1)) if (!(size & 1))
return (Imaging) ImagingError_ValueError("bad filter size"); return (Imaging) ImagingError_ValueError("bad filter size");
/* malloc check ok, for overflow in the define below */
if (size > SIZE_MAX / size ||
size > SIZE_MAX / (size * sizeof(FLOAT32))) {
return (Imaging) ImagingError_ValueError("filter size too large");
}
size2 = size * size; size2 = size * size;
margin = (size-1) / 2; margin = (size-1) / 2;

View File

@ -306,6 +306,7 @@ ImagingNewArray(const char *mode, int xsize, int ysize)
/* Allocate image as an array of lines */ /* Allocate image as an array of lines */
for (y = 0; y < im->ysize; y++) { for (y = 0; y < im->ysize; y++) {
/* malloc check UNDONE - where is linesize set? */
p = (char *) malloc(im->linesize); p = (char *) malloc(im->linesize);
if (!p) { if (!p) {
ImagingDestroyArray(im); ImagingDestroyArray(im);
@ -345,18 +346,23 @@ ImagingNewBlock(const char *mode, int xsize, int ysize)
if (!im) if (!im)
return NULL; return NULL;
if (im->linesize &&
im->ysize > SIZE_MAX / im->linesize) {
/* punt if we're going to overflow */
return NULL;
}
/* Use a single block */ /* Use a single block */
bytes = (Py_ssize_t) im->ysize * im->linesize; bytes = ((Py_ssize_t) im->ysize) * im->linesize;
if (bytes <= 0) if (bytes <= 0)
/* some platforms return NULL for malloc(0); this fix /* some platforms return NULL for malloc(0); this fix
prevents MemoryError on zero-sized images on such prevents MemoryError on zero-sized images on such
platforms */ platforms */
bytes = 1; bytes = 1;
im->block = (char *) malloc(bytes); /* malloc check ok, overflow check above */
im->block = (char *) calloc(bytes, 1);
if (im->block) { if (im->block) {
memset(im->block, 0, bytes);
for (y = i = 0; y < im->ysize; y++) { for (y = i = 0; y < im->ysize; y++) {
im->image[y] = im->block + i; im->image[y] = im->block + i;
i += im->linesize; i += im->linesize;
@ -392,7 +398,7 @@ ImagingNew(const char* mode, int xsize, int ysize)
} else } else
bytes = strlen(mode); /* close enough */ bytes = strlen(mode); /* close enough */
if ((int64_t) xsize * (int64_t) ysize * bytes <= THRESHOLD) { if ((int64_t) xsize * (int64_t) ysize <= THRESHOLD / bytes) {
im = ImagingNewBlock(mode, xsize, ysize); im = ImagingNewBlock(mode, xsize, ysize);
if (im) if (im)
return im; return im;

View File

@ -305,6 +305,7 @@ int ImagingLibTiffEncodeInit(ImagingCodecState state, char *filename, int fp) {
} else { } else {
// malloc a buffer to write the tif, we're going to need to realloc or something if we need bigger. // malloc a buffer to write the tif, we're going to need to realloc or something if we need bigger.
TRACE(("Opening a buffer for writing \n")); TRACE(("Opening a buffer for writing \n"));
/* malloc check ok, small constant allocation */
clientstate->data = malloc(bufsize); clientstate->data = malloc(bufsize);
clientstate->size = bufsize; clientstate->size = bufsize;
clientstate->flrealloc=1; clientstate->flrealloc=1;

View File

@ -56,9 +56,15 @@ ImagingZipDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
if (context->mode == ZIP_PNG || context->mode == ZIP_PNG_PALETTE) if (context->mode == ZIP_PNG || context->mode == ZIP_PNG_PALETTE)
context->prefix = 1; /* PNG */ context->prefix = 1; /* PNG */
/* overflow check for malloc */
if (state->bytes > SIZE_MAX - 1) {
state->errcode = IMAGING_CODEC_MEMORY;
return -1;
}
/* Expand standard buffer to make room for the (optional) filter /* Expand standard buffer to make room for the (optional) filter
prefix, and allocate a buffer to hold the previous line */ prefix, and allocate a buffer to hold the previous line */
free(state->buffer); free(state->buffer);
/* malloc check ok, overflow checked above */
state->buffer = (UINT8*) malloc(state->bytes+1); state->buffer = (UINT8*) malloc(state->bytes+1);
context->previous = (UINT8*) malloc(state->bytes+1); context->previous = (UINT8*) malloc(state->bytes+1);
if (!state->buffer || !context->previous) { if (!state->buffer || !context->previous) {

View File

@ -37,9 +37,16 @@ ImagingZipEncode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
/* Valid modes are ZIP_PNG, ZIP_PNG_PALETTE, and ZIP_TIFF */ /* Valid modes are ZIP_PNG, ZIP_PNG_PALETTE, and ZIP_TIFF */
/* overflow check for malloc */
if (state->bytes > SIZE_MAX - 1) {
state->errcode = IMAGING_CODEC_MEMORY;
return -1;
}
/* Expand standard buffer to make room for the filter selector, /* Expand standard buffer to make room for the filter selector,
and allocate filter buffers */ and allocate filter buffers */
free(state->buffer); free(state->buffer);
/* malloc check ok, overflow checked above */
state->buffer = (UINT8*) malloc(state->bytes+1); state->buffer = (UINT8*) malloc(state->bytes+1);
context->previous = (UINT8*) malloc(state->bytes+1); context->previous = (UINT8*) malloc(state->bytes+1);
context->prior = (UINT8*) malloc(state->bytes+1); context->prior = (UINT8*) malloc(state->bytes+1);