shithub: jbig2

Download patch

ref: d6dcc6bd175300af5cc71c8395207a4ec67c2d0c
parent: 4e682afbfcb79ea61b096af38f4fa703274c192d
author: Simon Bünzli <[email protected]>
date: Sun Dec 22 19:00:32 EST 2013

jbig2dec: tweak overflow check in jbig2_(re)alloc

If num * size overflows under x64, the value may be negative and still
fit into a 32-bit integer. The proper check unfortunately requires a
division.

Note: The maximum allowed allocation is (size_t)-0x100 instead of
SIZE_MAX so that debug CRTs which check for the allocation of e.g.
(size_t)-1 never assert.

--- a/jbig2.c
+++ b/jbig2.c
@@ -60,11 +60,9 @@
 jbig2_alloc (Jbig2Allocator *allocator, size_t size, size_t num)
 {
   /* check for integer multiplication overflow */
-  int64_t check = ((int64_t)num)*((int64_t)size);
-  if (check != (int)check)
+  if (num > 0 && size >= (size_t)-0x100 / num)
     return NULL;
-  else
-    return allocator->alloc (allocator, (int)check);
+  return allocator->alloc(allocator, size * num);
 }
 
 void
@@ -77,11 +75,9 @@
 jbig2_realloc (Jbig2Allocator *allocator, void *p, size_t size, size_t num)
 {
   /* check for integer multiplication overflow */
-  int64_t check = ((int64_t)num)*((int64_t)size);
-  if (check != (int)check)
+  if (num > 0 && size >= (size_t)-0x100 / num)
     return NULL;
-  else
-    return allocator->realloc (allocator, p, (int)check);
+  return allocator->realloc(allocator, p, size * num);
 }
 
 static int