|
 |
3e9165 |
From 3e7facdbcdab27143327b216cddb42a6dd1a50a7 Mon Sep 17 00:00:00 2001
|
|
|
3e9165 |
From: Petr Gajdos <pgajdos@suse.cz>
|
|
|
3e9165 |
Date: Mon, 6 May 2024 11:26:12 +0200
|
|
|
3e9165 |
Subject: [PATCH] Check for zero width and height
|
|
|
3e9165 |
|
|
|
3e9165 |
Also check for positive number of gray levels.
|
|
|
3e9165 |
|
|
|
3e9165 |
The patch was created by Petr Gajdos for
|
|
|
3e9165 |
https://sourceforge.net/p/djvu/bugs/345/ and pushed
|
|
|
3e9165 |
by Marek Kasik to Fedora/EPEL repositories.
|
|
|
3e9165 |
---
|
|
|
3e9165 |
libdjvu/IW44EncodeCodec.cpp | 7 ++++++-
|
|
|
3e9165 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
3e9165 |
|
|
|
3e9165 |
diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp
|
|
|
3e9165 |
index f81eaeb..7a402f7 100644
|
|
|
3e9165 |
--- a/libdjvu/IW44EncodeCodec.cpp
|
|
|
3e9165 |
+++ b/libdjvu/IW44EncodeCodec.cpp
|
|
|
3e9165 |
@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm, const GP<GBitmap> gmask)
|
|
|
3e9165 |
int h = bm.rows();
|
|
|
3e9165 |
int g = bm.get_grays()-1;
|
|
|
3e9165 |
signed char *buffer;
|
|
|
3e9165 |
- GPBuffer<signed char> gbuffer(buffer,w*h);
|
|
|
3e9165 |
+ size_t sz = w * h;
|
|
|
3e9165 |
+ if (sz == 0 || g <= 0) // w or h is zero or g is not positive
|
|
|
3e9165 |
+ G_THROW("IWBitmap: zero size image (corrupted file?)");
|
|
|
3e9165 |
+ if (sz / (size_t)w != (size_t)h) // multiplication overflow
|
|
|
3e9165 |
+ G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)");
|
|
|
3e9165 |
+ GPBuffer<signed char> gbuffer(buffer,sz);
|
|
|
3e9165 |
// Prepare gray level conversion table
|
|
|
3e9165 |
signed char bconv[256];
|
|
|
3e9165 |
for (i=0; i<256; i++)
|
|
|
3e9165 |
--
|
|
|
3e9165 |
2.44.0
|
|
|
3e9165 |
|