Commit 04dd34c14ed21d36e80447dd988fa1ce4ebe5ac5
2016-02-04T10:59:21
Guard against wrap-around in alloc functions Because of the exposed nature of the libjpeg API, alloc_small() and alloc_large() can potentially be called by external code. If an application were to call either of those functions with sizeofobject > SIZE_MAX - ALIGN_SIZE - 1, then the math in round_up_pow2() would wrap around to zero, causing that function to return a small value. That value would likely not exceed MAX_ALLOC_CHUNK, so the subsequent size checks in alloc_small() and alloc_large() would not catch the error. A similar problem could occur in 32-bit builds if alloc_sarray() were called with samplesperrow > SIZE_MAX - (2 * ALIGN_SIZE / sizeof(JSAMPLE)) - 1 This patch simply ensures that the size argument to the alloc_*() functions will never exceed MAX_ALLOC_CHUNK (1 billion). If it did, then subsequent size checks would eventually catch that error, so we are instead catching the error before round_up_pow2() is called. This addresses a minor concern (LJT-01-001) expressed in a security audit by Cure53.