mirror of
https://github.com/webmproject/libwebp.git
synced 2025-07-13 14:34:33 +02:00
harness some malloc/calloc to use WebPSafeMalloc and WebPSafeCalloc
quite a large security sweep. Change-Id: If150dfbb46e6e9b56210473a109c8ad6ccd0cea4
This commit is contained in:
Pascal Massimino
@ -13,6 +13,7 @@
|
||||
|
||||
#include "./vp8i.h"
|
||||
#include "./webpi.h"
|
||||
#include "../utils/utils.h"
|
||||
|
||||
#if defined(__cplusplus) || defined(c_plusplus)
|
||||
extern "C" {
|
||||
@ -95,14 +96,11 @@ static VP8StatusCode AllocateBuffer(WebPDecBuffer* const buffer) {
|
||||
total_size = size + 2 * uv_size + a_size;
|
||||
|
||||
// Security/sanity checks
|
||||
if (((size_t)total_size != total_size) || (total_size >= (1ULL << 40))) {
|
||||
return VP8_STATUS_INVALID_PARAM;
|
||||
}
|
||||
|
||||
buffer->private_memory = output = (uint8_t*)malloc((size_t)total_size);
|
||||
output = (uint8_t*)WebPSafeMalloc(total_size, sizeof(*output));
|
||||
if (output == NULL) {
|
||||
return VP8_STATUS_OUT_OF_MEMORY;
|
||||
}
|
||||
buffer->private_memory = output;
|
||||
|
||||
if (!WebPIsRGBMode(mode)) { // YUVA initialization
|
||||
WebPYUVABuffer* const buf = &buffer->u.YUVA;
|
||||
|
||||
@ -11,6 +11,7 @@
|
||||
|
||||
#include <stdlib.h>
|
||||
#include "./vp8i.h"
|
||||
#include "../utils/utils.h"
|
||||
|
||||
#if defined(__cplusplus) || defined(c_plusplus)
|
||||
extern "C" {
|
||||
@ -435,11 +436,12 @@ static int AllocateMemory(VP8Decoder* const dec) {
|
||||
if (needed > dec->mem_size_) {
|
||||
free(dec->mem_);
|
||||
dec->mem_size_ = 0;
|
||||
dec->mem_ = (uint8_t*)malloc((size_t)needed);
|
||||
dec->mem_ = WebPSafeMalloc(needed, sizeof(uint8_t));
|
||||
if (dec->mem_ == NULL) {
|
||||
return VP8SetError(dec, VP8_STATUS_OUT_OF_MEMORY,
|
||||
"no memory during frame initialization.");
|
||||
}
|
||||
// down-cast is ok, thanks to WebPSafeAlloc() above.
|
||||
dec->mem_size_ = (size_t)needed;
|
||||
}
|
||||
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
|
||||
#include "./webpi.h"
|
||||
#include "./vp8i.h"
|
||||
#include "../utils/utils.h"
|
||||
|
||||
#if defined(__cplusplus) || defined(c_plusplus)
|
||||
extern "C" {
|
||||
@ -143,14 +144,15 @@ static int AppendToMemBuffer(WebPIDecoder* const idec,
|
||||
|
||||
if (mem->end_ + data_size > mem->buf_size_) { // Need some free memory
|
||||
const size_t current_size = MemDataSize(mem);
|
||||
const size_t new_size = current_size + data_size;
|
||||
const size_t extra_size = (new_size + CHUNK_SIZE - 1) & ~(CHUNK_SIZE - 1);
|
||||
uint8_t* const new_buf = (uint8_t*)malloc(extra_size);
|
||||
const uint64_t new_size = (uint64_t)current_size + data_size;
|
||||
const uint64_t extra_size = (new_size + CHUNK_SIZE - 1) & ~(CHUNK_SIZE - 1);
|
||||
uint8_t* const new_buf =
|
||||
(uint8_t*)WebPSafeMalloc(extra_size, sizeof(*new_buf));
|
||||
if (new_buf == NULL) return 0;
|
||||
memcpy(new_buf, old_base, current_size);
|
||||
free(mem->buf_);
|
||||
mem->buf_ = new_buf;
|
||||
mem->buf_size_ = extra_size;
|
||||
mem->buf_size_ = (size_t)extra_size;
|
||||
mem->start_ = 0;
|
||||
mem->end_ = current_size;
|
||||
}
|
||||
@ -534,7 +536,7 @@ static VP8StatusCode IDecode(WebPIDecoder* idec) {
|
||||
// Public functions
|
||||
|
||||
WebPIDecoder* WebPINewDecoder(WebPDecBuffer* output_buffer) {
|
||||
WebPIDecoder* idec = (WebPIDecoder*)calloc(1, sizeof(WebPIDecoder));
|
||||
WebPIDecoder* idec = (WebPIDecoder*)calloc(1, sizeof(*idec));
|
||||
if (idec == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -45,7 +45,7 @@ int VP8InitIoInternal(VP8Io* const io, int version) {
|
||||
}
|
||||
|
||||
VP8Decoder* VP8New(void) {
|
||||
VP8Decoder* const dec = (VP8Decoder*)calloc(1, sizeof(VP8Decoder));
|
||||
VP8Decoder* const dec = (VP8Decoder*)calloc(1, sizeof(*dec));
|
||||
if (dec != NULL) {
|
||||
SetOk(dec);
|
||||
WebPWorkerInit(&dec->worker_);
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
#include "./vp8li.h"
|
||||
#include "../dsp/lossless.h"
|
||||
#include "../utils/huffman.h"
|
||||
#include "../utils/utils.h"
|
||||
|
||||
#if defined(__cplusplus) || defined(c_plusplus)
|
||||
extern "C" {
|
||||
@ -264,7 +265,8 @@ static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
|
||||
return 0;
|
||||
}
|
||||
|
||||
code_lengths = (int*)calloc(alphabet_size, sizeof(*code_lengths));
|
||||
code_lengths =
|
||||
(int*)WebPSafeCalloc((uint64_t)alphabet_size, sizeof(*code_lengths));
|
||||
if (code_lengths == NULL) {
|
||||
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
|
||||
return 0;
|
||||
@ -335,7 +337,9 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
|
||||
if (br->error_) goto Error;
|
||||
|
||||
assert(num_htree_groups <= 0x10000);
|
||||
htree_groups = (HTreeGroup*)calloc(num_htree_groups, sizeof(*htree_groups));
|
||||
htree_groups =
|
||||
(HTreeGroup*)WebPSafeCalloc((uint64_t)num_htree_groups,
|
||||
sizeof(*htree_groups));
|
||||
if (htree_groups == NULL) {
|
||||
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
|
||||
goto Error;
|
||||
@ -380,10 +384,7 @@ static int AllocateAndInitRescaler(VP8LDecoder* const dec, VP8Io* const io) {
|
||||
const uint64_t memory_size = sizeof(*dec->rescaler) +
|
||||
work_size * sizeof(*work) +
|
||||
scaled_data_size * sizeof(*scaled_data);
|
||||
uint8_t* memory;
|
||||
|
||||
if (memory_size != (size_t)memory_size) return 0; // overflow check
|
||||
memory = (uint8_t*)calloc(1, (size_t)memory_size);
|
||||
uint8_t* memory = (uint8_t*)WebPSafeCalloc(memory_size, sizeof(*memory));
|
||||
if (memory == NULL) {
|
||||
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
|
||||
return 0;
|
||||
@ -700,7 +701,8 @@ static int ExpandColorMap(int num_colors, VP8LTransform* const transform) {
|
||||
int i;
|
||||
const int final_num_colors = 1 << (8 >> transform->bits_);
|
||||
uint32_t* const new_color_map =
|
||||
(uint32_t*)malloc(final_num_colors * sizeof(*new_color_map));
|
||||
(uint32_t*)WebPSafeMalloc((uint64_t)final_num_colors,
|
||||
sizeof(*new_color_map));
|
||||
if (new_color_map == NULL) {
|
||||
return 0;
|
||||
} else {
|
||||
@ -892,15 +894,8 @@ static int DecodeImageStream(int xsize, int ysize,
|
||||
}
|
||||
|
||||
{
|
||||
const uint64_t total_size =
|
||||
transform_xsize * transform_ysize * sizeof(*data);
|
||||
if (total_size != (size_t)total_size) {
|
||||
// This shouldn't happen, because of transform_bits limit, but...
|
||||
dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
|
||||
ok = 0;
|
||||
goto End;
|
||||
}
|
||||
data = (uint32_t*)malloc((size_t)total_size);
|
||||
const uint64_t total_size = (uint64_t)transform_xsize * transform_ysize;
|
||||
data = (uint32_t*)WebPSafeMalloc(total_size, sizeof(*data));
|
||||
if (data == NULL) {
|
||||
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
|
||||
ok = 0;
|
||||
@ -951,12 +946,9 @@ static int AllocateARGBBuffers(VP8LDecoder* const dec, int final_width) {
|
||||
const uint64_t cache_pixels = (uint64_t)final_width * NUM_ARGB_CACHE_ROWS;
|
||||
const uint64_t total_num_pixels =
|
||||
num_pixels + cache_top_pixels + cache_pixels;
|
||||
const uint64_t total_size = total_num_pixels * sizeof(*dec->argb_);
|
||||
|
||||
assert(dec->width_ <= final_width);
|
||||
// Check for overflow
|
||||
if ((size_t)total_size != total_size) return 0;
|
||||
dec->argb_ = (uint32_t*)malloc((size_t)total_size);
|
||||
dec->argb_ = (uint32_t*)WebPSafeMalloc(total_num_pixels, sizeof(*dec->argb_));
|
||||
if (dec->argb_ == NULL) {
|
||||
dec->argb_cache_ = NULL;
|
||||
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
|
||||
|
||||
Reference in New Issue
Block a user