Fix potential overflow issue

"tjAlloc()" uses "malloc()" which takes a "size_t" number of bytes (an unsigned integer). However,"tjAlloc()" itself takes the number of bytes as a signed integer. So the width * height * tjPixelSize[pixelfmt] may overflow and become a negative integer. Fix by checking it and change to use malloc directly. Change-Id: Ia69e37f66c6674c1201c06df8e35d8877ae081cd Signed-off-by: N Yilu Mao <yilu.myl@alibaba-inc.com>

Fix potential overflow issue
"tjAlloc()" uses "malloc()" which takes a "size_t" number of bytes (an unsigned integer). However,"tjAlloc()" itself takes the number of bytes as a signed integer. So the width * height * tjPixelSize[pixelfmt] may overflow and become a negative integer. Fix by checking it and change to use malloc directly. Change-Id: Ia69e37f66c6674c1201c06df8e35d8877ae081cd Signed-off-by: N Yilu Mao <yilu.myl@alibaba-inc.com>
06e7107e · Yilu Mao · YiluMao · 04af12ab · 06e7107e
隐藏空白更改
内联并排

Showing with 9 addition and 2 deletion

components/ugraphics/src/jpegdec/jpegdec.c components/ugraphics/src/jpegdec/jpegdec.c +9 -2

未找到文件。
--- a/components/ugraphics/src/jpegdec/jpegdec.c
+++ b/components/ugraphics/src/jpegdec/jpegdec.c
@@ -124,8 +124,15 @@ int tjpeg2rgb(unsigned char *jpeg_buffer, int jpeg_size,
    }
    LOG("width: %d, height: %d", width, height);
    flags |= 0;
-    *rgb_buffer = (unsigned char *)tjAlloc(width * height *
-                                           tjPixelSize[pixelfmt]);
+
+    if ((unsigned long long)width * height * tjPixelSize[pixelfmt] >
+            (unsigned long long)((size_t)-1)) {
+        LOGE(TAG, "Image is too large!!!");
+        goto finish;
+    }
+    *rgb_buffer = (unsigned char *)malloc(sizeof(unsigned char) * width * height *
+                    tjPixelSize[pixelfmt]);
+
    if ((*rgb_buffer) == NULL) {
        LOGE(TAG, "allocating uncompressed image buffer");
        goto finish;