python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-02-05 06:00:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

malloc checks, overflow and errors

Browse Source
This commit is contained in:
Eric Soroos 2017-09-29 11:01:10 +00:00
parent 2014cf69b8
commit 779310a832
1 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
libImaging/SgiRleDecode.c
View File

@ -94,6 +94,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
{ {
UINT8 *ptr; UINT8 *ptr;
SGISTATE *c; SGISTATE *c;
int err = 0;
/* Get all data from File descriptor */ /* Get all data from File descriptor */
c = (SGISTATE*)state->context; c = (SGISTATE*)state->context;
@ -101,6 +102,9 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
c->bufsize = _imaging_tell_pyFd(state->fd); c->bufsize = _imaging_tell_pyFd(state->fd);
c->bufsize -= SGI_HEADER_SIZE; c->bufsize -= SGI_HEADER_SIZE;
ptr = malloc(sizeof(UINT8) * c->bufsize); ptr = malloc(sizeof(UINT8) * c->bufsize);
if (!ptr) {
return IMAGING_CODEC_MEMORY;
}
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
@ -108,18 +112,32 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
/* decoder initialization */ /* decoder initialization */
state->count = 0; state->count = 0;
state->y = 0; state->y = 0;
if (state->ystep < 0) if (state->ystep < 0) {
state->y = im->ysize - 1; state->y = im->ysize - 1;
else } else {
state->ystep = 1; state->ystep = 1;
}
if (im->xsize > INT_MAX / im->bands ||
im->ysize > INT_MAX / im->bands) {
err = IMAGING_CODEC_MEMORY;
goto sgi_finish_decode;
}
/* Allocate memory for RLE tables and rows */ /* Allocate memory for RLE tables and rows */
free(state->buffer); free(state->buffer);
state->buffer = malloc(sizeof(UINT8) * 2 * im->xsize * im->bands); state->buffer = NULL;
/* malloc overflow check above */
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
c->tablen = im->bands * im->ysize; c->tablen = im->bands * im->ysize;
c->starttab = calloc(c->tablen, sizeof(UINT32)); c->starttab = calloc(c->tablen, sizeof(UINT32));
c->lengthtab = calloc(c->tablen, sizeof(UINT32)); c->lengthtab = calloc(c->tablen, sizeof(UINT32));
if (!state->buffer ||
!c->starttab ||
!c->lengthtab) {
err = IMAGING_CODEC_MEMORY;
goto sgi_finish_decode;
}
/* populate offsets table */ /* populate offsets table */
for (c->tabindex = 0, c->bufindex = 0; c->tabindex < c->tablen; c->tabindex++, c->bufindex+=4) for (c->tabindex = 0, c->bufindex = 0; c->tabindex < c->tablen; c->tabindex++, c->bufindex+=4)
read4B(&c->starttab[c->tabindex], &ptr[c->bufindex]); read4B(&c->starttab[c->tabindex], &ptr[c->bufindex]);
@ -163,6 +181,8 @@ sgi_finish_decode: ;
free(c->starttab); free(c->starttab);
free(c->lengthtab); free(c->lengthtab);
free(ptr); free(ptr);
if (err != 0){
return err;
}
return state->count - c->bufsize; return state->count - c->bufsize;
} }