From 16718fe4ea5c57b69168932d57ee672a5be255b2 Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Sun, 14 Jan 2018 14:19:57 +0100 Subject: Fix buffer overflows in TIFF, PNG, IRIS, DPX, HDR and AVI loading. Solves these security issues from T52924: CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902 CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906 CVE-2017-2907 CVE-2017-2918 Differential Revision: https://developer.blender.org/D2999 --- source/blender/avi/CMakeLists.txt | 1 + source/blender/avi/intern/avi.c | 36 +++++--- source/blender/avi/intern/avi_codecs.c | 2 +- source/blender/avi/intern/avi_intern.h | 2 +- source/blender/avi/intern/avi_mjpeg.c | 92 +++++++++++--------- source/blender/avi/intern/avi_mjpeg.h | 4 +- source/blender/avi/intern/avi_rgb.c | 90 ++++++++++--------- source/blender/avi/intern/avi_rgb.h | 4 +- source/blender/avi/intern/avi_rgb32.c | 32 ++++--- source/blender/avi/intern/avi_rgb32.h | 4 +- source/blender/imbuf/IMB_imbuf.h | 6 ++ source/blender/imbuf/intern/allocimbuf.c | 40 ++++----- source/blender/imbuf/intern/bmp.c | 30 ++++--- source/blender/imbuf/intern/cineon/dpxlib.c | 3 +- source/blender/imbuf/intern/cineon/logImageCore.c | 101 ++++++++++------------ source/blender/imbuf/intern/cineon/logImageCore.h | 2 +- source/blender/imbuf/intern/iris.c | 65 +++++++++----- source/blender/imbuf/intern/png.c | 54 ++++++------ source/blender/imbuf/intern/radiance_hdr.c | 44 +++++----- source/blender/imbuf/intern/tiff.c | 26 ++++-- 20 files changed, 349 insertions(+), 289 deletions(-) diff --git a/source/blender/avi/CMakeLists.txt b/source/blender/avi/CMakeLists.txt index 292206d8cb9..5009bd2a30b 100644 --- a/source/blender/avi/CMakeLists.txt +++ b/source/blender/avi/CMakeLists.txt @@ -26,6 +26,7 @@ set(INC . ../blenlib + ../imbuf ../../../intern/guardedalloc ) diff --git a/source/blender/avi/intern/avi.c b/source/blender/avi/intern/avi.c index 9601d6e5002..6695998fd35 100644 --- a/source/blender/avi/intern/avi.c +++ b/source/blender/avi/intern/avi.c @@ -285,13 +285,15 @@ bool AVI_is_avi(const char *name) fseek(movie.fp, movie.header->size - 14 * 4, SEEK_CUR); - if (movie.header->Streams < 1) { - DEBUG_PRINT("streams less than 1\n"); + /* Limit number of streams to some reasonable amount to prevent + * buffer oveflow vulnerabilities. */ + if (movie.header->Streams < 1 || movie.header->Streams > 65536) { + DEBUG_PRINT("Number of streams should be in range 1-65536\n"); fclose(movie.fp); return 0; } - movie.streams = (AviStreamRec *) MEM_callocN(sizeof(AviStreamRec) * movie.header->Streams, "moviestreams"); + movie.streams = (AviStreamRec *) MEM_calloc_arrayN(movie.header->Streams, sizeof(AviStreamRec), "moviestreams"); for (temp = 0; temp < movie.header->Streams; temp++) { @@ -486,12 +488,14 @@ AviError AVI_open_movie(const char *name, AviMovie *movie) fseek(movie->fp, movie->header->size - 14 * 4, SEEK_CUR); - if (movie->header->Streams < 1) { - DEBUG_PRINT("streams less than 1\n"); + /* Limit number of streams to some reasonable amount to prevent + * buffer oveflow vulnerabilities. */ + if (movie->header->Streams < 1 || movie->header->Streams > 65536) { + DEBUG_PRINT("Number of streams should be in range 1-65536\n"); return AVI_ERROR_FORMAT; } - movie->streams = (AviStreamRec *) MEM_callocN(sizeof(AviStreamRec) * movie->header->Streams, "moviestreams"); + movie->streams = (AviStreamRec *) MEM_calloc_arrayN(movie->header->Streams, sizeof(AviStreamRec), "moviestreams"); for (temp = 0; temp < movie->header->Streams; temp++) { @@ -689,7 +693,7 @@ AviError AVI_open_movie(const char *name, AviMovie *movie) void *AVI_read_frame(AviMovie *movie, AviFormat format, int frame, int stream) { - int cur_frame = -1, temp, i = 0, rewind = 1; + int cur_frame = -1, i = 0, rewind = 1; void *buffer; /* Retrieve the record number of the desired frame in the index @@ -720,16 +724,16 @@ void *AVI_read_frame(AviMovie *movie, AviFormat format, int frame, int stream) fseek(movie->fp, movie->read_offset + movie->entries[i - 1].Offset, SEEK_SET); - temp = GET_FCC(movie->fp); - buffer = MEM_mallocN(temp, "readbuffer"); + size_t size = GET_FCC(movie->fp); + buffer = MEM_mallocN(size, "readbuffer"); - if (fread(buffer, 1, temp, movie->fp) != temp) { + if (fread(buffer, 1, size, movie->fp) != size) { MEM_freeN(buffer); return NULL; } - buffer = avi_format_convert(movie, stream, buffer, movie->streams[stream].format, format, &temp); + buffer = avi_format_convert(movie, stream, buffer, movie->streams[stream].format, format, &size); return buffer; } @@ -801,6 +805,13 @@ AviError AVI_open_compress(char *name, AviMovie *movie, int streams, ...) movie->header->Reserved[2] = 0; movie->header->Reserved[3] = 0; + /* Limit number of streams to some reasonable amount to prevent + * buffer oveflow vulnerabilities. */ + if (movie->header->Streams < 0 || movie->header->Streams > 65536) { + DEBUG_PRINT("Number of streams should be in range 0-65536\n"); + return AVI_ERROR_FORMAT; + } + movie->streams = (AviStreamRec *) MEM_mallocN(sizeof(AviStreamRec) * movie->header->Streams, "moviestreams"); va_start(ap, streams); @@ -968,7 +979,6 @@ AviError AVI_write_frame(AviMovie *movie, int frame_num, ...) int64_t rec_off; AviFormat format; void *buffer; - int size; if (frame_num < 0) return AVI_ERROR_OPTION; @@ -1002,7 +1012,7 @@ AviError AVI_write_frame(AviMovie *movie, int frame_num, ...) format = va_arg(ap, AviFormat); buffer = va_arg(ap, void *); - size = va_arg(ap, int); + size_t size = va_arg(ap, int); /* Convert the buffer into the output format */ buffer = avi_format_convert(movie, stream, buffer, format, movie->streams[stream].format, &size); diff --git a/source/blender/avi/intern/avi_codecs.c b/source/blender/avi/intern/avi_codecs.c index c14d088c8ea..f52ec44faab 100644 --- a/source/blender/avi/intern/avi_codecs.c +++ b/source/blender/avi/intern/avi_codecs.c @@ -39,7 +39,7 @@ #include "avi_mjpeg.h" #include "avi_rgb32.h" -void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, int *size) +void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, size_t *size) { if (from == to) return buffer; diff --git a/source/blender/avi/intern/avi_intern.h b/source/blender/avi/intern/avi_intern.h index 0b494047612..b2fec1edfc1 100644 --- a/source/blender/avi/intern/avi_intern.h +++ b/source/blender/avi/intern/avi_intern.h @@ -59,7 +59,7 @@ unsigned int GET_TCC(FILE *fp); putc(ch2[1], fp); \ } (void)0 -void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, int *size); +void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, size_t *size); int avi_get_data_id(AviFormat format, int stream); int avi_get_format_type(AviFormat format); diff --git a/source/blender/avi/intern/avi_mjpeg.c b/source/blender/avi/intern/avi_mjpeg.c index 1fa9da6b3a2..258426809fb 100644 --- a/source/blender/avi/intern/avi_mjpeg.c +++ b/source/blender/avi/intern/avi_mjpeg.c @@ -39,15 +39,17 @@ #include "MEM_guardedalloc.h" +#include "IMB_imbuf.h" + #include "jpeglib.h" #include "jerror.h" #include "avi_mjpeg.h" -static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, int bufsize); -static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, int bufsize); +static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, size_t bufsize); +static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, size_t bufsize); -static int numbytes; +static size_t numbytes; static void add_huff_table(j_decompress_ptr dinfo, JHUFF_TBL **htblptr, const UINT8 *bits, const UINT8 *val) { @@ -151,10 +153,8 @@ static void std_huff_tables(j_decompress_ptr dinfo) bits_ac_chrominance, val_ac_chrominance); } -static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsigned int width, unsigned int height, int bufsize) +static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsigned int width, unsigned int height, size_t bufsize) { - int rowstride; - unsigned int y; struct jpeg_decompress_struct dinfo; struct jpeg_error_mgr jerr; @@ -174,8 +174,8 @@ static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsign jpeg_start_decompress(&dinfo); - rowstride = dinfo.output_width * dinfo.output_components; - for (y = 0; y < dinfo.output_height; y++) { + size_t rowstride = dinfo.output_width * dinfo.output_components; + for (size_t y = 0; y < dinfo.output_height; y++) { jpeg_read_scanlines(&dinfo, (JSAMPARRAY) &outBuffer, 1); outBuffer += rowstride; } @@ -194,7 +194,7 @@ static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsign jpeg_start_decompress(&dinfo); rowstride = dinfo.output_width * dinfo.output_components; - for (y = 0; y < dinfo.output_height; y++) { + for (size_t y = 0; y < dinfo.output_height; y++) { jpeg_read_scanlines(&dinfo, (JSAMPARRAY) &outBuffer, 1); outBuffer += rowstride; } @@ -204,10 +204,8 @@ static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsign return 1; } -static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned char *inBuffer, int width, int height, int bufsize) +static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned char *inBuffer, int width, int height, size_t bufsize) { - int i, rowstride; - unsigned int y; struct jpeg_compress_struct cinfo; struct jpeg_error_mgr jerr; unsigned char marker[60]; @@ -240,7 +238,7 @@ static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned jpeg_start_compress(&cinfo, false); - i = 0; + int i = 0; marker[i++] = 'A'; marker[i++] = 'V'; marker[i++] = 'I'; @@ -257,8 +255,8 @@ static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned jpeg_write_marker(&cinfo, JPEG_COM, marker, 60); - rowstride = cinfo.image_width * cinfo.input_components; - for (y = 0; y < cinfo.image_height; y++) { + size_t rowstride = cinfo.image_width * cinfo.input_components; + for (size_t y = 0; y < cinfo.image_height; y++) { jpeg_write_scanlines(&cinfo, (JSAMPARRAY) &inBuffer, 1); inBuffer += rowstride; } @@ -268,7 +266,7 @@ static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned static void interlace(unsigned char *to, unsigned char *from, int width, int height) { - int i, rowstride = width * 3; + size_t i, rowstride = width * 3; for (i = 0; i < height; i++) { if (i & 1) @@ -280,7 +278,7 @@ static void interlace(unsigned char *to, unsigned char *from, int width, int hei static void deinterlace(int odd, unsigned char *to, unsigned char *from, int width, int height) { - int i, rowstride = width * 3; + size_t i, rowstride = width * 3; for (i = 0; i < height; i++) { if ((i & 1) == odd) @@ -290,22 +288,27 @@ static void deinterlace(int odd, unsigned char *to, unsigned char *from, int wid } } -void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { int deint; unsigned char *buf; (void)stream; /* unused */ - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_from_mjpeg 1"); + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_from_mjpeg 1"); + if (!buf) { + return NULL; + } deint = Decode_JPEG(buffer, buf, movie->header->Width, movie->header->Height, *size); MEM_freeN(buffer); if (deint) { - buffer = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_from_mjpeg 2"); - interlace(buffer, buf, movie->header->Width, movie->header->Height); + buffer = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_from_mjpeg 2"); + if (buffer) { + interlace(buffer, buf, movie->header->Width, movie->header->Height); + } MEM_freeN(buf); buf = buffer; @@ -314,43 +317,50 @@ void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffe return buf; } -void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { unsigned char *buf; - int bufsize = *size; + size_t bufsize = *size; numbytes = 0; *size = 0; - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_to_mjpeg 1"); + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_to_mjpeg 1"); + if (!buf) { + return NULL; + } + if (!movie->interlace) { Compress_JPEG(movie->streams[stream].sh.Quality / 100, buf, buffer, movie->header->Width, movie->header->Height, bufsize); + *size += numbytes; } else { deinterlace(movie->odd_fields, buf, buffer, movie->header->Width, movie->header->Height); MEM_freeN(buffer); buffer = buf; - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_to_mjpeg 2"); - - Compress_JPEG(movie->streams[stream].sh.Quality / 100, - buf, buffer, - movie->header->Width, - movie->header->Height / 2, - bufsize / 2); - *size += numbytes; - numbytes = 0; - Compress_JPEG(movie->streams[stream].sh.Quality / 100, - buf + *size, buffer + (movie->header->Height / 2) * movie->header->Width * 3, - movie->header->Width, - movie->header->Height / 2, - bufsize / 2); + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_to_mjpeg 1"); + + if (buf) { + Compress_JPEG(movie->streams[stream].sh.Quality / 100, + buf, buffer, + movie->header->Width, + movie->header->Height / 2, + bufsize / 2); + *size += numbytes; + numbytes = 0; + Compress_JPEG(movie->streams[stream].sh.Quality / 100, + buf + *size, buffer + (size_t)(movie->header->Height / 2) * (size_t)movie->header->Width * 3, + movie->header->Width, + movie->header->Height / 2, + bufsize / 2); + *size += numbytes; + } } - *size += numbytes; MEM_freeN(buffer); return buf; @@ -377,7 +387,7 @@ static void jpegmemdestmgr_term_destination(j_compress_ptr cinfo) MEM_freeN(cinfo->dest); } -static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, int bufsize) +static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, size_t bufsize) { cinfo->dest = MEM_mallocN(sizeof(*(cinfo->dest)), "avi.jpegmemdestmgr_build"); @@ -430,7 +440,7 @@ static void jpegmemsrcmgr_term_source(j_decompress_ptr dinfo) MEM_freeN(dinfo->src); } -static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, int bufsize) +static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, size_t bufsize) { dinfo->src = MEM_mallocN(sizeof(*(dinfo->src)), "avi.jpegmemsrcmgr_build"); diff --git a/source/blender/avi/intern/avi_mjpeg.h b/source/blender/avi/intern/avi_mjpeg.h index e8cba1849e7..e1e3cdf1fd8 100644 --- a/source/blender/avi/intern/avi_mjpeg.h +++ b/source/blender/avi/intern/avi_mjpeg.h @@ -32,7 +32,7 @@ #ifndef __AVI_MJPEG_H__ #define __AVI_MJPEG_H__ -void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size); -void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size); +void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size); +void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size); #endif /* __AVI_MJPEG_H__ */ diff --git a/source/blender/avi/intern/avi_rgb.c b/source/blender/avi/intern/avi_rgb.c index 632ecad61a6..f0baf7c6c14 100644 --- a/source/blender/avi/intern/avi_rgb.c +++ b/source/blender/avi/intern/avi_rgb.c @@ -40,11 +40,12 @@ #include "AVI_avi.h" #include "avi_rgb.h" +#include "IMB_imbuf.h" + /* implementation */ -void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { - int x, y, i, rowstride; unsigned char *buf; AviBitmapInfoHeader *bi; short bits = 32; @@ -60,33 +61,35 @@ void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buf #ifdef __BIG_ENDIAN__ unsigned char *pxla; #endif - - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromavirgbbuf"); - y = movie->header->Height; - to = buf; + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromavirgbbuf"); + + if (buf) { + size_t y = movie->header->Height; + to = buf; + + while (y--) { + pxl = (unsigned short *) (buffer + y * movie->header->Width * 2); - while (y--) { - pxl = (unsigned short *) (buffer + y * movie->header->Width * 2); - #ifdef __BIG_ENDIAN__ - pxla = (unsigned char *)pxl; + pxla = (unsigned char *)pxl; #endif - x = movie->header->Width; - while (x--) { + size_t x = movie->header->Width; + while (x--) { #ifdef __BIG_ENDIAN__ - i = pxla[0]; - pxla[0] = pxla[1]; - pxla[1] = i; - - pxla += 2; + int i = pxla[0]; + pxla[0] = pxla[1]; + pxla[1] = i; + + pxla += 2; #endif - - *(to++) = ((*pxl >> 10) & 0x1f) * 8; - *(to++) = ((*pxl >> 5) & 0x1f) * 8; - *(to++) = (*pxl & 0x1f) * 8; - pxl++; + + *(to++) = ((*pxl >> 10) & 0x1f) * 8; + *(to++) = ((*pxl >> 5) & 0x1f) * 8; + *(to++) = (*pxl & 0x1f) * 8; + pxl++; + } } } @@ -95,48 +98,49 @@ void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buf return buf; } else { - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromavirgbbuf"); - - rowstride = movie->header->Width * 3; - if ((bits != 16) && (movie->header->Width % 2)) rowstride++; - - for (y = 0; y < movie->header->Height; y++) { - memcpy(&buf[y * movie->header->Width * 3], &buffer[((movie->header->Height - 1) - y) * rowstride], movie->header->Width * 3); - } + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromavirgbbuf"); - for (y = 0; y < movie->header->Height * movie->header->Width * 3; y += 3) { - i = buf[y]; - buf[y] = buf[y + 2]; - buf[y + 2] = i; + if (buf) { + size_t rowstride = movie->header->Width * 3; + if ((bits != 16) && (movie->header->Width % 2)) rowstride++; + + for (size_t y = 0; y < movie->header->Height; y++) { + memcpy(&buf[y * movie->header->Width * 3], &buffer[((movie->header->Height - 1) - y) * rowstride], movie->header->Width * 3); + } + + for (size_t y = 0; y < (size_t)movie->header->Height * (size_t)movie->header->Width * 3; y += 3) { + int i = buf[y]; + buf[y] = buf[y + 2]; + buf[y + 2] = i; + } } - + MEM_freeN(buffer); - + return buf; } } -void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { - int y, x, i, rowstride; unsigned char *buf; (void)stream; /* unused */ - rowstride = movie->header->Width * 3; + size_t rowstride = movie->header->Width * 3; /* AVI files has uncompressed lines 4-byte aligned */ rowstride = (rowstride + 3) & ~3; *size = movie->header->Height * rowstride; buf = MEM_mallocN(*size, "toavirgbbuf"); - for (y = 0; y < movie->header->Height; y++) { + for (size_t y = 0; y < movie->header->Height; y++) { memcpy(&buf[y * rowstride], &buffer[((movie->header->Height - 1) - y) * movie->header->Width * 3], movie->header->Width * 3); } - for (y = 0; y < movie->header->Height; y++) { - for (x = 0; x < movie->header->Width * 3; x += 3) { - i = buf[y * rowstride + x]; + for (size_t y = 0; y < movie->header->Height; y++) { + for (size_t x = 0; x < movie->header->Width * 3; x += 3) { + int i = buf[y * rowstride + x]; buf[y * rowstride + x] = buf[y * rowstride + x + 2]; buf[y * rowstride + x + 2] = i; } diff --git a/source/blender/avi/intern/avi_rgb.h b/source/blender/avi/intern/avi_rgb.h index 773166e9fab..67bb4172769 100644 --- a/source/blender/avi/intern/avi_rgb.h +++ b/source/blender/avi/intern/avi_rgb.h @@ -32,7 +32,7 @@ #ifndef __AVI_RGB_H__ #define __AVI_RGB_H__ -void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size); -void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size); +void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size); +void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size); #endif /* __AVI_RGB_H__ */ diff --git a/source/blender/avi/intern/avi_rgb32.c b/source/blender/avi/intern/avi_rgb32.c index c9cbcb05bb8..051fdba1cd2 100644 --- a/source/blender/avi/intern/avi_rgb32.c +++ b/source/blender/avi/intern/avi_rgb32.c @@ -37,24 +37,28 @@ #include "MEM_guardedalloc.h" +#include "IMB_imbuf.h" + #include "AVI_avi.h" #include "avi_rgb32.h" -void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { - int y, x, rowstridea, rowstrideb; unsigned char *buf; (void)stream; /* unused */ - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromrgb32buf"); - *size = movie->header->Height * movie->header->Width * 3; + *size = (size_t)movie->header->Height * (size_t)movie->header->Width * 3; + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromrgb32buf"); + if (!buf) { + return NULL; + } - rowstridea = movie->header->Width * 3; - rowstrideb = movie->header->Width * 4; + size_t rowstridea = movie->header->Width * 3; + size_t rowstrideb = movie->header->Width * 4; - for (y = 0; y < movie->header->Height; y++) { - for (x = 0; x < movie->header->Width; x++) { + for (size_t y = 0; y < movie->header->Height; y++) { + for (size_t x = 0; x < movie->header->Width; x++) { buf[y * rowstridea + x * 3 + 0] = buffer[y * rowstrideb + x * 4 + 3]; buf[y * rowstridea + x * 3 + 1] = buffer[y * rowstrideb + x * 4 + 2]; buf[y * rowstridea + x * 3 + 2] = buffer[y * rowstrideb + x * 4 + 1]; @@ -66,21 +70,23 @@ void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffe return buf; } -void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { - int i; unsigned char *buf; unsigned char *to, *from; (void)stream; /* unused */ - *size = movie->header->Height * movie->header->Width * 4; - buf = MEM_mallocN(*size, "torgb32buf"); + *size = (size_t)movie->header->Height * (size_t)movie->header->Width * 4; + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "torgb32buf"); + if (!buf) { + return NULL; + } memset(buf, 255, *size); to = buf; from = buffer; - i = movie->header->Height * movie->header->Width; + size_t i = (size_t)movie->header->Height * (size_t)movie->header->Width; while (i--) { memcpy(to, from, 3); diff --git a/source/blender/avi/intern/avi_rgb32.h b/source/blender/avi/intern/avi_rgb32.h index 523f9e795fd..a9373a69821 100644 --- a/source/blender/avi/intern/avi_rgb32.h +++ b/source/blender/avi/intern/avi_rgb32.h @@ -32,7 +32,7 @@ #ifndef __AVI_RGB32_H__ #define __AVI_RGB32_H__ -void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size); -void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size); +void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size); +void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size); #endif /* __AVI_RGB32_H__ */ diff --git a/source/blender/imbuf/IMB_imbuf.h b/source/blender/imbuf/IMB_imbuf.h index f1f36351e79..a7f793b5b11 100644 --- a/source/blender/imbuf/IMB_imbuf.h +++ b/source/blender/imbuf/IMB_imbuf.h @@ -583,6 +583,12 @@ bool IMB_metadata_change_field(struct ImBuf *img, const char *key, const char *f void IMB_metadata_copy(struct ImBuf *dimb, struct ImBuf *simb); /* exported for image tools in blender, to quickly allocate 32 bits rect */ +void *imb_alloc_pixels(unsigned int x, + unsigned int y, + unsigned int channels, + size_t typesize, + const char *name); + bool imb_addrectImBuf(struct ImBuf *ibuf); void imb_freerectImBuf(struct ImBuf *ibuf); diff --git a/source/blender/imbuf/intern/allocimbuf.c b/source/blender/imbuf/intern/allocimbuf.c index 6e9bfa1fc4e..7fc4a65d8d7 100644 --- a/source/blender/imbuf/intern/allocimbuf.c +++ b/source/blender/imbuf/intern/allocimbuf.c @@ -265,15 +265,11 @@ ImBuf *IMB_makeSingleUser(ImBuf *ibuf) bool addzbufImBuf(ImBuf *ibuf) { - size_t size; - if (ibuf == NULL) return false; IMB_freezbufImBuf(ibuf); - size = (size_t)ibuf->x * (size_t)ibuf->y * sizeof(unsigned int); - - if ((ibuf->zbuf = MEM_mapallocN(size, __func__))) { + if ((ibuf->zbuf = imb_alloc_pixels(ibuf->x, ibuf->y, 1, sizeof(unsigned int), __func__))) { ibuf->mall |= IB_zbuf; ibuf->flags |= IB_zbuf; return true; @@ -284,15 +280,11 @@ bool addzbufImBuf(ImBuf *ibuf) bool addzbuffloatImBuf(ImBuf *ibuf) { - size_t size; - if (ibuf == NULL) return false; IMB_freezbuffloatImBuf(ibuf); - size = (size_t)ibuf->x * (size_t)ibuf->y * sizeof(float); - - if ((ibuf->zbuf_float = MEM_mapallocN(size, __func__))) { + if ((ibuf->zbuf_float = imb_alloc_pixels(ibuf->x, ibuf->y, 1, sizeof(float), __func__))) { ibuf->mall |= IB_zbuffloat; ibuf->flags |= IB_zbuffloat; return true; @@ -361,19 +353,31 @@ bool imb_enlargeencodedbufferImBuf(ImBuf *ibuf) return true; } +void *imb_alloc_pixels(unsigned int x, + unsigned int y, + unsigned int channels, + size_t typesize, + const char *name) +{ + /* Protect against buffer overflow vulnerabilities from files specifying + * a width and height that overflow and alloc too little memory. */ + if (!((uint64_t)x * (uint64_t)y < (SIZE_MAX / (channels * typesize)))) { + return NULL; + } + + size_t size = (size_t)x * (size_t)y * (size_t)channels * typesize; + return MEM_mapallocN(size, name); +} + bool imb_addrectfloatImBuf(ImBuf *ibuf) { - size_t size; - if (ibuf == NULL) return false; if (ibuf->rect_float) imb_freerectfloatImBuf(ibuf); /* frees mipmap too, hrm */ - size = (size_t)ibuf->x * (size_t)ibuf->y * sizeof(float[4]); - ibuf->channels = 4; - if ((ibuf->rect_float = MEM_mapallocN(size, __func__))) { + if ((ibuf->rect_float = imb_alloc_pixels(ibuf->x, ibuf->y, 4, sizeof(float), __func__))) { ibuf->mall |= IB_rectfloat; ibuf->flags |= IB_rectfloat; return true; @@ -385,8 +389,6 @@ bool imb_addrectfloatImBuf(ImBuf *ibuf) /* question; why also add zbuf? */ bool imb_addrectImBuf(ImBuf *ibuf) { - size_t size; - if (ibuf == NULL) return false; /* don't call imb_freerectImBuf, it frees mipmaps, this call is used only too give float buffers display */ @@ -394,9 +396,7 @@ bool imb_addrectImBuf(ImBuf *ibuf) MEM_freeN(ibuf->rect); ibuf->rect = NULL; - size = (size_t)ibuf->x * (size_t)ibuf->y * sizeof(unsigned int); - - if ((ibuf->rect = MEM_mapallocN(size, __func__))) { + if ((ibuf->rect = imb_alloc_pixels(ibuf->x, ibuf->y, 4, sizeof(unsigned char), __func__))) { ibuf->mall |= IB_rect; ibuf->flags |= IB_rect; if (ibuf->planes > 32) { diff --git a/source/blender/imbuf/intern/bmp.c b/source/blender/imbuf/intern/bmp.c index c5694148127..e63699ea5ba 100644 --- a/source/blender/imbuf/intern/bmp.c +++ b/source/blender/imbuf/intern/bmp.c @@ -124,7 +124,7 @@ struct ImBuf *imb_bmp_decode(const unsigned char *mem, size_t size, int flags, c { struct ImBuf *ibuf = NULL; BMPINFOHEADER bmi; - int x, y, depth, ibuf_depth, skip, i, j; + int x, y, depth, ibuf_depth, skip; const unsigned char *bmp; unsigned char *rect; unsigned short col; @@ -179,13 +179,17 @@ struct ImBuf *imb_bmp_decode(const unsigned char *mem, size_t size, int flags, c } else { ibuf = IMB_allocImBuf(x, y, ibuf_depth, IB_rect); + if (!ibuf) { + return NULL; + } + rect = (unsigned char *) ibuf->rect; if (depth <= 8) { const int rowsize = (depth * x + 31) / 32 * 4; const char (*palette)[4] = (void *)(mem + skip); const int startmask = ((1 << depth) - 1) << 8; - for (i = y; i > 0; i--) { + for (size_t i = y; i > 0; i--) { int index; int bitoffs = 8; int bitmask = startmask; @@ -194,7 +198,7 @@ struct ImBuf *imb_bmp_decode(const unsigned char *mem, size_t size, int flags, c if (top_to_bottom) { rect = (unsigned char *) &ibuf->rect[(i - 1) * x]; } - for (j = x; j > 0; j--) { + for (size_t j = x; j > 0; j--) { bitoffs -= depth; bitmask >>= depth; index = (bmp[0] & bitmask) >> bitoffs; @@ -219,11 +223,11 @@ struct ImBuf *imb_bmp_decode(const unsigned char *mem, size_t size, int flags, c } } else if (depth == 16) { - for (i = y; i > 0; i--) { + for (size_t i = y; i > 0; i--) { if (top_to_bottom) { rect = (unsigned char *) &ibuf->rect[(i - 1) * x]; } - for (j = x; j > 0; j--) { + for (size_t j = x; j > 0; j--) { col = bmp[0] + (bmp[1] << 8); rect[0] = ((col >> 10) & 0x1f) << 3; rect[1] = ((col >> 5) & 0x1f) << 3; @@ -236,11 +240,11 @@ struct ImBuf *imb_bmp_decode(const unsigned char *mem, size_t size, int flags, c } else if (depth == 24) { const int x_pad = x % 4; - for (i = y; i > 0; i--) { + for (size_t i = y; i > 0; i--) { if (top_to_bottom) { rect = (unsigned char *) &ibuf->rect[(i - 1) * x]; } - for (j = x; j > 0; j--) { + for (size_t j = x; j > 0; j--) { rect[0] = bmp[2]; rect[1] = bmp[1]; rect[2] = bmp[0]; @@ -253,11 +257,11 @@ struct ImBuf *imb_bmp_decode(const unsigned char *mem, size_t size, int flags, c } } else if (depth == 32) { - for (i = y; i > 0; i--) { + for (size_t i = y; i > 0; i--) { if (top_to_bottom) { rect = (unsigned char *) &ibuf->rect[(i - 1) * x]; } - for (j = x; j > 0; j--) { + for (size_t j = x; j > 0; j--) { rect[0] = bmp[2]; rect[1] = bmp[1]; rect[2] = bmp[0]; @@ -299,7 +303,7 @@ static int putShortLSB(unsigned short us, FILE *ofile) int imb_savebmp(struct ImBuf *ibuf, const char *name, int flags) { BMPINFOHEADER infoheader; - int bytesize, extrabytes, x, y, t, ptr; + size_t bytesize, extrabytes, ptr; uchar *data; FILE *ofile; @@ -331,15 +335,15 @@ int imb_savebmp(struct ImBuf *ibuf, const char *name, int flags) putIntLSB(0, ofile); /* Need to write out padded image data in bgr format */ - for (y = 0; y < ibuf->y; y++) { - for (x = 0; x < ibuf->x; x++) { + for (size_t y = 0; y < ibuf->y; y++) { + for (size_t x = 0; x < ibuf->x; x++) { ptr = (x + y * ibuf->x) * 4; if (putc(data[ptr + 2], ofile) == EOF) return 0; if (putc(data[ptr + 1], ofile) == EOF) return 0; if (putc(data[ptr], ofile) == EOF) return 0; } /* add padding here */ - for (t = 0; t < extrabytes; t++) { + for (size_t t = 0; t < extrabytes; t++) { if (putc(0, ofile) == EOF) return 0; } } diff --git a/source/blender/imbuf/intern/cineon/dpxlib.c b/source/blender/imbuf/intern/cineon/dpxlib.c index 429a19936a5..c05f85314c2 100644 --- a/source/blender/imbuf/intern/cineon/dpxlib.c +++ b/source/blender/imbuf/intern/cineon/dpxlib.c @@ -193,7 +193,8 @@ LogImageFile *dpxOpen(const unsigned char *byteStuff, int fromMemory, size_t buf dpx->srcFormat = format_DPX; dpx->numElements = swap_ushort(header.imageHeader.elements_per_image, dpx->isMSB); - if (dpx->numElements == 0) { + size_t max_elements = sizeof(header.imageHeader.element)/sizeof(header.imageHeader.element[0]); + if (dpx->numElements == 0 || dpx->numElements >= max_elements) { if (verbose) printf("DPX: Wrong number of elements: %d\n", dpx->numElements); logImageClose(dpx); return NULL; diff --git a/source/blender/imbuf/intern/cineon/logImageCore.c b/source/blender/imbuf/intern/cineon/logImageCore.c index 7b5dec4da41..376d40a5f6b 100644 --- a/source/blender/imbuf/intern/cineon/logImageCore.c +++ b/source/blender/imbuf/intern/cineon/logImageCore.c @@ -38,6 +38,8 @@ #include "BLI_fileops.h" #include "BLI_utildefines.h" +#include "IMB_imbuf.h" + #include "MEM_guardedalloc.h" /* @@ -162,7 +164,7 @@ void logImageGetSize(LogImageFile *logImage, int *width, int *height, int *depth * Helper */ -unsigned int getRowLength(int width, LogImageElement logElement) +size_t getRowLength(size_t width, LogImageElement logElement) { /* return the row length in bytes according to width and packing method */ switch (logElement.bitsPerSample) { @@ -201,7 +203,7 @@ int logImageSetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB float *elementData; int returnValue; - elementData = (float *)MEM_mallocN(logImage->width * logImage->height * logImage->depth * sizeof(float), __func__); + elementData = (float *)imb_alloc_pixels(logImage->width, logImage->height, logImage->depth, sizeof(float), __func__); if (elementData == NULL) return 1; @@ -238,9 +240,8 @@ int logImageSetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB static int logImageSetData8(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned char *row; - int x, y; row = (unsigned char *)MEM_mallocN(rowLength, __func__); if (row == NULL) { @@ -249,8 +250,8 @@ static int logImageSetData8(LogImageFile *logImage, LogImageElement logElement, } memset(row, 0, rowLength); - for (y = 0; y < logImage->height; y++) { - for (x = 0; x < logImage->width * logImage->depth; x++) + for (size_t y = 0; y < logImage->height; y++) { + for (size_t x = 0; x < logImage->width * logImage->depth; x++) row[x] = (unsigned char)float_uint(data[y * logImage->width * logImage->depth + x], 255); if (logimage_fwrite(row, rowLength, 1, logImage) == 0) { @@ -265,10 +266,9 @@ static int logImageSetData8(LogImageFile *logImage, LogImageElement logElement, static int logImageSetData10(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned int pixel, index; unsigned int *row; - int x, y, offset; row = (unsigned int *)MEM_mallocN(rowLength, __func__); if (row == NULL) { @@ -276,12 +276,12 @@ static int logImageSetData10(LogImageFile *logImage, LogImageElement logElement, return 1; } - for (y = 0; y < logImage->height; y++) { - offset = 22; + for (size_t y = 0; y < logImage->height; y++) { + int offset = 22; index = 0; pixel = 0; - for (x = 0; x < logImage->width * logImage->depth; x++) { + for (size_t x = 0; x < logImage->width * logImage->depth; x++) { pixel |= (unsigned int)float_uint(data[y * logImage->width * logImage->depth + x], 1023) << offset; offset -= 10; if (offset < 0) { @@ -308,9 +308,8 @@ static int logImageSetData10(LogImageFile *logImage, LogImageElement logElement, static int logImageSetData12(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned short *row; - int x, y; row = (unsigned short *)MEM_mallocN(rowLength, __func__); if (row == NULL) { @@ -318,8 +317,8 @@ static int logImageSetData12(LogImageFile *logImage, LogImageElement logElement, return 1; } - for (y = 0; y < logImage->height; y++) { - for (x = 0; x < logImage->width * logImage->depth; x++) + for (size_t y = 0; y < logImage->height; y++) { + for (size_t x = 0; x < logImage->width * logImage->depth; x++) row[x] = swap_ushort(((unsigned short)float_uint(data[y * logImage->width * logImage->depth + x], 4095)) << 4, logImage->isMSB); if (logimage_fwrite(row, rowLength, 1, logImage) == 0) { @@ -334,9 +333,8 @@ static int logImageSetData12(LogImageFile *logImage, LogImageElement logElement, static int logImageSetData16(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned short *row; - int x, y; row = (unsigned short *)MEM_mallocN(rowLength, __func__); if (row == NULL) { @@ -344,8 +342,8 @@ static int logImageSetData16(LogImageFile *logImage, LogImageElement logElement, return 1; } - for (y = 0; y < logImage->height; y++) { - for (x = 0; x < logImage->width * logImage->depth; x++) + for (size_t y = 0; y < logImage->height; y++) { + for (size_t x = 0; x < logImage->width * logImage->depth; x++) row[x] = swap_ushort((unsigned short)float_uint(data[y * logImage->width * logImage->depth + x], 65535), logImage->isMSB); if (logimage_fwrite(row, rowLength, 1, logImage) == 0) { @@ -382,7 +380,7 @@ int logImageGetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB /* descriptor_Depth and descriptor_Composite are not supported */ if (logImage->element[i].descriptor != descriptor_Depth && logImage->element[i].descriptor != descriptor_Composite) { /* Allocate memory */ - elementData[i] = (float *)MEM_mallocN(logImage->width * logImage->height * logImage->element[i].depth * sizeof(float), __func__); + elementData[i] = imb_alloc_pixels(logImage->width, logImage->height, logImage->element[i].depth, sizeof(float), __func__); if (elementData[i] == NULL) { if (verbose) printf("DPX/Cineon: Cannot allocate memory for elementData[%d]\n.", i); for (j = 0; j < i; j++) @@ -530,7 +528,7 @@ int logImageGetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB } } - mergedData = (float *)MEM_mallocN(logImage->width * logImage->height * mergedElement.depth * sizeof(float), __func__); + mergedData = (float *)imb_alloc_pixels(logImage->width, logImage->height, mergedElement.depth, sizeof(float), __func__); if (mergedData == NULL) { if (verbose) printf("DPX/Cineon: Cannot allocate mergedData.\n"); for (i = 0; i < logImage->numElements; i++) @@ -590,7 +588,6 @@ static int logImageElementGetData(LogImageFile *logImage, LogImageElement logEle static int logImageElementGetData1(LogImageFile *logImage, LogImageElement logElement, float *data) { unsigned int pixel; - int x, y, offset; /* seek at the right place */ if (logimage_fseek(logImage, logElement.dataOffset, SEEK_SET) != 0) { @@ -599,14 +596,14 @@ static int logImageElementGetData1(LogImageFile *logImage, LogImageElement logEl } /* read 1 bit data padded to 32 bits */ - for (y = 0; y < logImage->height; y++) { - for (x = 0; x < logImage->width * logElement.depth; x += 32) { + for (size_t y = 0; y < logImage->height; y++) { + for (size_t x = 0; x < logImage->width * logElement.depth; x += 32) { if (logimage_read_uint(&pixel, logImage) != 0) { if (verbose) printf("DPX/Cineon: EOF reached\n"); return 1; } pixel = swap_uint(pixel, logImage->isMSB); - for (offset = 0; offset < 32 && x + offset < logImage->width; offset++) + for (int offset = 0; offset < 32 && x + offset < logImage->width; offset++) data[y * logImage->width * logElement.depth + x + offset] = (float)((pixel >> offset) & 0x01); } } @@ -615,19 +612,18 @@ static int logImageElementGetData1(LogImageFile *logImage, LogImageElement logEl static int logImageElementGetData8(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned char pixel; - int x, y; /* extract required pixels */ - for (y = 0; y < logImage->height; y++) { + for (size_t y = 0; y < logImage->height; y++) { /* 8 bits are 32-bits padded so we need to seek at each row */ if (logimage_fseek(logImage, logElement.dataOffset + y * rowLength, SEEK_SET) != 0) { - if (verbose) printf("DPX/Cineon: Couldn't seek at %d\n", logElement.dataOffset + y * (int)rowLength); + if (verbose) printf("DPX/Cineon: Couldn't seek at %d\n", (int)(logElement.dataOffset + y * rowLength)); return 1; } - for (x = 0; x < logImage->width * logElement.depth; x++) { + for (size_t x = 0; x < logImage->width * logElement.depth; x++) { if (logimage_read_uchar(&pixel, logImage) != 0) { if (verbose) printf("DPX/Cineon: EOF reached\n"); return 1; @@ -641,7 +637,6 @@ static int logImageElementGetData8(LogImageFile *logImage, LogImageElement logEl static int logImageElementGetData10(LogImageFile *logImage, LogImageElement logElement, float *data) { unsigned int pixel; - int x, y, offset; /* seek to data */ if (logimage_fseek(logImage, logElement.dataOffset, SEEK_SET) != 0) { @@ -650,9 +645,9 @@ static int logImageElementGetData10(LogImageFile *logImage, LogImageElement logE } if (logImage->depth == 1 && logImage->srcFormat == format_DPX) { - for (y = 0; y < logImage->height; y++) { - offset = 32; - for (x = 0; x < logImage->width * logElement.depth; x++) { + for (size_t y = 0; y < logImage->height; y++) { + int offset = 32; + for (size_t x = 0; x < logImage->width * logElement.depth; x++) { /* we need to read the next long */ if (offset >= 30) { if (logElement.packing == 1) @@ -672,9 +667,9 @@ static int logImageElementGetData10(LogImageFile *logImage, LogImageElement logE } } else { - for (y = 0; y < logImage->height; y++) { - offset = -1; - for (x = 0; x < logImage->width * logElement.depth; x++) { + for (size_t y = 0; y < logImage->height; y++) { + int offset = -1; + for (size_t x = 0; x < logImage->width * logElement.depth; x++) { /* we need to read the next long */ if (offset < 0) { if (logElement.packing == 1) @@ -699,23 +694,22 @@ static int logImageElementGetData10(LogImageFile *logImage, LogImageElement logE static int logImageElementGetData10Packed(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned int pixel, oldPixel; - int offset, offset2, x, y; /* converting bytes to pixels */ - for (y = 0; y < logImage->height; y++) { + for (size_t y = 0; y < logImage->height; y++) { /* seek to data */ if (logimage_fseek(logImage, y * rowLength + logElement.dataOffset, SEEK_SET) != 0) { - if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", y * rowLength + logElement.dataOffset); + if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", (int)(y * rowLength + logElement.dataOffset)); return 1; } oldPixel = 0; - offset = 0; - offset2 = 0; + int offset = 0; + int offset2 = 0; - for (x = 0; x < logImage->width * logElement.depth; x++) { + for (size_t x = 0; x < logImage->width * logElement.depth; x++) { if (offset2 != 0) { offset = 10 - offset2; offset2 = 0; @@ -778,23 +772,22 @@ static int logImageElementGetData12(LogImageFile *logImage, LogImageElement logE static int logImageElementGetData12Packed(LogImageFile *logImage, LogImageElement logElement, float *data) { - unsigned int rowLength = getRowLength(logImage->width, logElement); + size_t rowLength = getRowLength(logImage->width, logElement); unsigned int pixel, oldPixel; - int offset, offset2, x, y; /* converting bytes to pixels */ - for (y = 0; y < logImage->height; y++) { + for (size_t y = 0; y < logImage->height; y++) { /* seek to data */ if (logimage_fseek(logImage, y * rowLength + logElement.dataOffset, SEEK_SET) != 0) { - if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", y * rowLength + logElement.dataOffset); + if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", (int)(y * rowLength + logElement.dataOffset)); return 1; } oldPixel = 0; - offset = 0; - offset2 = 0; + int offset = 0; + int offset2 = 0; - for (x = 0; x < logImage->width * logElement.depth; x++) { + for (size_t x = 0; x < logImage->width * logElement.depth; x++) { if (offset2 != 0) { offset = 12 - offset2; offset2 = 0; @@ -1119,7 +1112,7 @@ static int convertRGBA_RGBA(float *src, float *dst, LogImageFile *logImage, case transfer_UserDefined: case transfer_Linear: case transfer_Logarithmic: { - memcpy(dst, src, 4 * logImage->width * logImage->height * sizeof(float)); + memcpy(dst, src, 4 * (size_t)logImage->width * (size_t)logImage->height * sizeof(float)); return 0; } @@ -1434,11 +1427,11 @@ static int convertRGBAToLogElement(float *src, float *dst, LogImageFile *logImag if (srcIsLinearRGB != 0) { /* we need to convert src to sRGB */ - srgbSrc = (float *)MEM_mallocN(4 * logImage->width * logImage->height * sizeof(float), __func__); + srgbSrc = (float *)imb_alloc_pixels(logImage->width, logImage->height, 4, sizeof(float), __func__); if (srgbSrc == NULL) return 1; - memcpy(srgbSrc, src, 4 * logImage->width * logImage->height * sizeof(float)); + memcpy(srgbSrc, src, 4 * (size_t)logImage->width * (size_t)logImage->height * sizeof(float)); srgbSrc_ptr = srgbSrc; /* convert data from Linear RGB to sRGB via lut */ diff --git a/source/blender/imbuf/intern/cineon/logImageCore.h b/source/blender/imbuf/intern/cineon/logImageCore.h index e39df1ea096..b6f4fff73f6 100644 --- a/source/blender/imbuf/intern/cineon/logImageCore.h +++ b/source/blender/imbuf/intern/cineon/logImageCore.h @@ -196,7 +196,7 @@ LogImageFile *logImageCreate(const char *filename, int cineon, int width, int he void logImageClose(LogImageFile *logImage); /* Data handling */ -unsigned int getRowLength(int width, LogImageElement logElement); +size_t getRowLength(size_t width, LogImageElement logElement); int logImageSetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB); int logImageGetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB); diff --git a/source/blender/imbuf/intern/iris.c b/source/blender/imbuf/intern/iris.c index 6c0849358a5..c62829cb8fa 100644 --- a/source/blender/imbuf/intern/iris.c +++ b/source/blender/imbuf/intern/iris.c @@ -260,7 +260,6 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors const uchar *mem_end = mem + size; MFileOffset _inf_data = {mem, 0}, *inf = &_inf_data; IMAGE image; - int x, y, z, tablen; int bpp, rle, cur, badorder; ImBuf *ibuf; uchar dirty_flag = 0; @@ -304,7 +303,7 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors } if (rle) { - tablen = ysize * zsize * sizeof(int); + size_t tablen = (size_t)ysize * (size_t)zsize * sizeof(int); MFILE_SEEK(inf, HEADER_SIZE); uint *starttab = MEM_mallocN(tablen, "iris starttab"); @@ -321,8 +320,8 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors /* check data order */ cur = 0; badorder = 0; - for (y = 0; y < ysize; y++) { - for (z = 0; z < zsize; z++) { + for (size_t y = 0; y < ysize; y++) { + for (size_t z = 0; z < zsize; z++) { if (starttab[y + z * ysize] < cur) { badorder = 1; break; @@ -336,14 +335,17 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors if (bpp == 1) { ibuf = IMB_allocImBuf(xsize, ysize, 8 * zsize, IB_rect); + if (!ibuf) { + goto fail_rle; + } if (ibuf->planes > 32) ibuf->planes = 32; base = ibuf->rect; zbase = (uint *)ibuf->zbuf; if (badorder) { - for (z = 0; z < zsize; z++) { + for (size_t z = 0; z < zsize; z++) { lptr = base; - for (y = 0; y < ysize; y++) { + for (size_t y = 0; y < ysize; y++) { MFILE_SEEK(inf, starttab[y + z * ysize]); rledat = MFILE_DATA(inf); MFILE_STEP(inf, lengthtab[y + z * ysize]); @@ -358,12 +360,12 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors else { lptr = base; zptr = zbase; - for (y = 0; y < ysize; y++) { + for (size_t y = 0; y < ysize; y++) { uint *lptr_next = lptr + xsize; uint *zptr_next = zptr + xsize; - for (z = 0; z < zsize; z++) { + for (size_t z = 0; z < zsize; z++) { MFILE_SEEK(inf, starttab[y + z * ysize]); rledat = MFILE_DATA(inf); MFILE_STEP(inf, lengthtab[y + z * ysize]); @@ -386,13 +388,16 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors else { /* bpp == 2 */ ibuf = IMB_allocImBuf(xsize, ysize, 32, (flags & IB_rect) | IB_rectfloat); - + if (!ibuf) { + goto fail_rle; + } + fbase = ibuf->rect_float; if (badorder) { - for (z = 0; z < zsize; z++) { + for (size_t z = 0; z < zsize; z++) { fptr = fbase; - for (y = 0; y < ysize; y++) { + for (size_t y = 0; y < ysize; y++) { MFILE_SEEK(inf, starttab[y + z * ysize]); rledat = MFILE_DATA(inf); MFILE_STEP(inf, lengthtab[y + z * ysize]); @@ -408,9 +413,9 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors fptr = fbase; float *fptr_next = fptr + (xsize * 4); - for (y = 0; y < ysize; y++) { + for (size_t y = 0; y < ysize; y++) { - for (z = 0; z < zsize; z++) { + for (size_t z = 0; z < zsize; z++) { MFILE_SEEK(inf, starttab[y + z * ysize]); rledat = MFILE_DATA(inf); MFILE_STEP(inf, lengthtab[y + z * ysize]); @@ -426,6 +431,10 @@ struct ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, char colors fail_rle: MEM_freeN(starttab); MEM_freeN(lengthtab); + + if (!ibuf) { + return NULL; + } } else { @@ -435,6 +444,9 @@ fail_rle: if (bpp == 1) { ibuf = IMB_allocImBuf(xsize, ysize, 8 * zsize, IB_rect); + if (!ibuf) { + goto fail_uncompressed; + } if (ibuf->planes > 32) ibuf->planes = 32; base = ibuf->rect; @@ -443,12 +455,12 @@ fail_rle: MFILE_SEEK(inf, HEADER_SIZE); rledat = MFILE_DATA(inf); - for (z = 0; z < zsize; z++) { + for (size_t z = 0; z < zsize; z++) { if (z < 4) lptr = base; else if (z < 8) lptr = zbase; - for (y = 0; y < ysize; y++) { + for (size_t y = 0; y < ysize; y++) { const uchar *rledat_next = rledat + xsize; const int z_ofs = 3 - z; MFILE_CAPACITY_AT_PTR_OK_OR_FAIL(rledat_next + z_ofs); @@ -462,17 +474,20 @@ fail_rle: else { /* bpp == 2 */ ibuf = IMB_allocImBuf(xsize, ysize, 32, (flags & IB_rect) | IB_rectfloat); + if (!ibuf) { + goto fail_uncompressed; + } fbase = ibuf->rect_float; MFILE_SEEK(inf, HEADER_SIZE); rledat = MFILE_DATA(inf); - for (z = 0; z < zsize; z++) { + for (size_t z = 0; z < zsize; z++) { fptr = fbase; - for (y = 0; y < ysize; y++) { + for (size_t y = 0; y < ysize; y++) { const uchar *rledat_next = rledat + xsize * 2; const int z_ofs = 3 - z; MFILE_CAPACITY_AT_PTR_OK_OR_FAIL(rledat_next + z_ofs); @@ -485,7 +500,9 @@ fail_rle: } #undef MFILE_CAPACITY_AT_PTR_OK_OR_FAIL fail_uncompressed: - (void)0; + if (!ibuf) { + return NULL; + } } if (bpp == 1) { @@ -493,7 +510,7 @@ fail_uncompressed: if (image.zsize == 1) { rect = (uchar *) ibuf->rect; - for (x = ibuf->x * ibuf->y; x > 0; x--) { + for (size_t x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) { rect[0] = 255; rect[1] = rect[2] = rect[3]; rect += 4; @@ -502,7 +519,7 @@ fail_uncompressed: else if (image.zsize == 2) { /* grayscale with alpha */ rect = (uchar *) ibuf->rect; - for (x = ibuf->x * ibuf->y; x > 0; x--) { + for (size_t x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) { rect[0] = rect[2]; rect[1] = rect[2] = rect[3]; rect += 4; @@ -511,7 +528,7 @@ fail_uncompressed: else if (image.zsize == 3) { /* add alpha */ rect = (uchar *) ibuf->rect; - for (x = ibuf->x * ibuf->y; x > 0; x--) { + for (size_t x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) { rect[0] = 255; rect += 4; } @@ -522,7 +539,7 @@ fail_uncompressed: if (image.zsize == 1) { fbase = ibuf->rect_float; - for (x = ibuf->x * ibuf->y; x > 0; x--) { + for (size_t x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) { fbase[0] = 1; fbase[1] = fbase[2] = fbase[3]; fbase += 4; @@ -531,7 +548,7 @@ fail_uncompressed: else if (image.zsize == 2) { /* grayscale with alpha */ fbase = ibuf->rect_float; - for (x = ibuf->x * ibuf->y; x > 0; x--) { + for (size_t x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) { fbase[0] = fbase[2]; fbase[1] = fbase[2] = fbase[3]; fbase += 4; @@ -540,7 +557,7 @@ fail_uncompressed: else if (image.zsize == 3) { /* add alpha */ fbase = ibuf->rect_float; - for (x = ibuf->x * ibuf->y; x > 0; x--) { + for (size_t x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) { fbase[0] = 1; fbase += 4; } diff --git a/source/blender/imbuf/intern/png.c b/source/blender/imbuf/intern/png.c index dded0f7aecf..857f72e10eb 100644 --- a/source/blender/imbuf/intern/png.c +++ b/source/blender/imbuf/intern/png.c @@ -526,7 +526,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors unsigned char *from, *to; unsigned short *from16; float *to_float; - int i, bytesperpixel; + unsigned int channels; if (imb_is_a_png(mem) == 0) return(NULL); @@ -571,7 +571,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, NULL, NULL, NULL); - bytesperpixel = png_get_channels(png_ptr, info_ptr); + channels = png_get_channels(png_ptr, info_ptr); switch (color_type) { case PNG_COLOR_TYPE_RGB: @@ -580,10 +580,10 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors case PNG_COLOR_TYPE_PALETTE: png_set_palette_to_rgb(png_ptr); if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) { - bytesperpixel = 4; + channels = 4; } else { - bytesperpixel = 3; + channels = 3; } break; case PNG_COLOR_TYPE_GRAY: @@ -593,7 +593,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors bit_depth = 8; if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) { /* PNG_COLOR_TYPE_GRAY may also have alpha 'values', like with palette. */ - bytesperpixel = 2; + channels = 2; } } break; @@ -602,7 +602,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors longjmp(png_jmpbuf(png_ptr), 1); } - ibuf = IMB_allocImBuf(width, height, 8 * bytesperpixel, 0); + ibuf = IMB_allocImBuf(width, height, 8 * channels, 0); if (ibuf) { ibuf->ftype = IMB_FTYPE_PNG; @@ -630,23 +630,23 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors imb_addrectfloatImBuf(ibuf); png_set_swap(png_ptr); - pixels16 = MEM_mallocN(ibuf->x * ibuf->y * bytesperpixel * sizeof(png_uint_16), "pixels"); - if (pixels16 == NULL) { + pixels16 = imb_alloc_pixels(ibuf->x, ibuf->y, channels, sizeof(png_uint_16), "pixels"); + if (pixels16 == NULL || ibuf->rect_float == NULL) { printf("Cannot allocate pixels array\n"); longjmp(png_jmpbuf(png_ptr), 1); } /* allocate memory for an array of row-pointers */ - row_pointers = (png_bytepp) MEM_mallocN(ibuf->y * sizeof(png_uint_16p), "row_pointers"); + row_pointers = (png_bytepp) MEM_mallocN((size_t)ibuf->y * sizeof(png_uint_16p), "row_pointers"); if (row_pointers == NULL) { printf("Cannot allocate row-pointers array\n"); longjmp(png_jmpbuf(png_ptr), 1); } /* set the individual row-pointers to point at the correct offsets */ - for (i = 0; i < ibuf->y; i++) { + for (size_t i = 0; i < ibuf->y; i++) { row_pointers[ibuf->y - 1 - i] = (png_bytep) - ((png_uint_16 *)pixels16 + (i * ibuf->x) * bytesperpixel); + ((png_uint_16 *)pixels16 + (i * ibuf->x) * channels); } png_read_image(png_ptr, row_pointers); @@ -656,9 +656,9 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors to_float = ibuf->rect_float; from16 = pixels16; - switch (bytesperpixel) { + switch (channels) { case 4: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to_float[0] = from16[0] / 65535.0; to_float[1] = from16[1] / 65535.0; to_float[2] = from16[2] / 65535.0; @@ -667,7 +667,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors } break; case 3: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to_float[0] = from16[0] / 65535.0; to_float[1] = from16[1] / 65535.0; to_float[2] = from16[2] / 65535.0; @@ -676,14 +676,14 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors } break; case 2: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to_float[0] = to_float[1] = to_float[2] = from16[0] / 65535.0; to_float[3] = from16[1] / 65535.0; to_float += 4; from16 += 2; } break; case 1: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to_float[0] = to_float[1] = to_float[2] = from16[0] / 65535.0; to_float[3] = 1.0; to_float += 4; from16++; @@ -694,23 +694,23 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors else { imb_addrectImBuf(ibuf); - pixels = MEM_mallocN(((size_t)ibuf->x) * ibuf->y * bytesperpixel * sizeof(unsigned char), "pixels"); - if (pixels == NULL) { + pixels = imb_alloc_pixels(ibuf->x, ibuf->y, channels, sizeof(unsigned char), "pixels"); + if (pixels == NULL || ibuf->rect == NULL) { printf("Cannot allocate pixels array\n"); longjmp(png_jmpbuf(png_ptr), 1); } /* allocate memory for an array of row-pointers */ - row_pointers = (png_bytepp) MEM_mallocN(ibuf->y * sizeof(png_bytep), "row_pointers"); + row_pointers = (png_bytepp) MEM_mallocN((size_t)ibuf->y * sizeof(png_bytep), "row_pointers"); if (row_pointers == NULL) { printf("Cannot allocate row-pointers array\n"); longjmp(png_jmpbuf(png_ptr), 1); } /* set the individual row-pointers to point at the correct offsets */ - for (i = 0; i < ibuf->y; i++) { + for (int i = 0; i < ibuf->y; i++) { row_pointers[ibuf->y - 1 - i] = (png_bytep) - ((unsigned char *)pixels + (((size_t)i) * ibuf->x) * bytesperpixel * sizeof(unsigned char)); + ((unsigned char *)pixels + (((size_t)i) * ibuf->x) * channels * sizeof(unsigned char)); } png_read_image(png_ptr, row_pointers); @@ -720,9 +720,9 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors to = (unsigned char *) ibuf->rect; from = pixels; - switch (bytesperpixel) { + switch (channels) { case 4: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to[0] = from[0]; to[1] = from[1]; to[2] = from[2]; @@ -731,7 +731,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors } break; case 3: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to[0] = from[0]; to[1] = from[1]; to[2] = from[2]; @@ -740,14 +740,14 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors } break; case 2: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to[0] = to[1] = to[2] = from[0]; to[3] = from[1]; to += 4; from += 2; } break; case 1: - for (i = ibuf->x * ibuf->y; i > 0; i--) { + for (size_t i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) { to[0] = to[1] = to[2] = from[0]; to[3] = 0xff; to += 4; from++; @@ -759,7 +759,7 @@ ImBuf *imb_loadpng(const unsigned char *mem, size_t size, int flags, char colors if (flags & IB_metadata) { png_text *text_chunks; int count = png_get_text(png_ptr, info_ptr, &text_chunks, NULL); - for (i = 0; i < count; i++) { + for (int i = 0; i < count; i++) { IMB_metadata_add_field(ibuf, text_chunks[i].key, text_chunks[i].text); ibuf->flags |= IB_metadata; } diff --git a/source/blender/imbuf/intern/radiance_hdr.c b/source/blender/imbuf/intern/radiance_hdr.c index a21468e474c..cecebf7bfa3 100644 --- a/source/blender/imbuf/intern/radiance_hdr.c +++ b/source/blender/imbuf/intern/radiance_hdr.c @@ -71,7 +71,7 @@ typedef float fCOLOR[3]; /* read routines */ static const unsigned char *oldreadcolrs(RGBE *scan, const unsigned char *mem, int xmax, const unsigned char *mem_eof) { - int i, rshift = 0, len = xmax; + size_t i, rshift = 0, len = xmax; while (len > 0) { if (UNLIKELY(mem_eof - mem < 4)) { return NULL; @@ -99,8 +99,6 @@ static const unsigned char *oldreadcolrs(RGBE *scan, const unsigned char *mem, i static const unsigned char *freadcolrs(RGBE *scan, const unsigned char *mem, int xmax, const unsigned char *mem_eof) { - int i, j, code, val; - if (UNLIKELY(mem_eof - mem < 4)) { return NULL; } @@ -109,38 +107,38 @@ static const unsigned char *freadcolrs(RGBE *scan, const unsigned char *mem, int return oldreadcolrs(scan, mem, xmax, mem_eof); } - i = *mem++; - if (i != 2) { + int val = *mem++; + if (val != 2) { return oldreadcolrs(scan, mem - 1, xmax, mem_eof); } scan[0][GRN] = *mem++; scan[0][BLU] = *mem++; - i = *mem++; + val = *mem++; if (scan[0][GRN] != 2 || scan[0][BLU] & 128) { scan[0][RED] = 2; - scan[0][EXP] = i; + scan[0][EXP] = val; return oldreadcolrs(scan + 1, mem, xmax - 1, mem_eof); } - if (UNLIKELY(((scan[0][BLU] << 8) | i) != xmax)) { + if (UNLIKELY(((scan[0][BLU] << 8) | val) != xmax)) { return NULL; } - for (i = 0; i < 4; i++) { + for (size_t i = 0; i < 4; i++) { if (UNLIKELY(mem_eof - mem < 2)) { return NULL; } - for (j = 0; j < xmax; ) { - code = *mem++; + for (size_t j = 0; j < xmax; ) { + int code = *mem++; if (code > 128) { code &= 127; if (UNLIKELY(code + j > xmax)) { return NULL; } - val = *mem++; + int val = *mem++; while (code--) { scan[j++][i] = (unsigned char)val; } @@ -215,7 +213,6 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, size_t size, int flags, char float *rect_float; int found = 0; int width = 0, height = 0; - int x, y; const unsigned char *ptr, *mem_eof = mem + size; char oriY[80], oriX[80]; @@ -223,6 +220,7 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, size_t size, int flags, char colorspace_set_default_role(colorspace, IM_MAX_SPACE, COLOR_ROLE_DEFAULT_FLOAT); /* find empty line, next line is resolution info */ + size_t x; for (x = 1; x < size; x++) { if ((mem[x - 1] == '\n') && (mem[x] == '\n')) { found = 1; @@ -259,13 +257,13 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, size_t size, int flags, char sline = (RGBE *)MEM_mallocN(sizeof(*sline) * width, __func__); rect_float = ibuf->rect_float; - for (y = 0; y < height; y++) { + for (size_t y = 0; y < height; y++) { ptr = freadcolrs(sline, ptr, width, mem_eof); if (ptr == NULL) { printf("WARNING! HDR decode error, image may be just truncated, or completely wrong...\n"); break; } - for (x = 0; x < width; x++) { + for (size_t x = 0; x < width; x++) { /* convert to ldr */ RGBE2FLOAT(sline[x], fcol); *rect_float++ = fcol[RED]; @@ -293,7 +291,7 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, size_t size, int flags, char /* ImBuf write */ static int fwritecolrs(FILE *file, int width, int channels, unsigned char *ibufscan, float *fpscan) { - int x, i, j, beg, c2, cnt = 0; + int beg, c2, cnt = 0; fCOLOR fcol; RGBE rgbe, *rgbe_scan; @@ -304,8 +302,8 @@ static int fwritecolrs(FILE *file, int width, int channels, unsigned char *ibufs rgbe_scan = (RGBE *)MEM_mallocN(sizeof(RGBE) * width, "radhdr_write_tmpscan"); /* convert scanline */ - j = 0; - for (i = 0; i < width; i++) { + size_t j = 0; + for (size_t i = 0; i < width; i++) { if (fpscan) { fcol[RED] = fpscan[j]; fcol[GRN] = (channels >= 2) ? fpscan[j + 1] : fpscan[j]; @@ -322,7 +320,7 @@ static int fwritecolrs(FILE *file, int width, int channels, unsigned char *ibufs } if ((width < MINELEN) | (width > MAXELEN)) { /* OOBs, write out flat */ - x = fwrite((char *)rgbe_scan, sizeof(RGBE), width, file) - width; + int x = fwrite((char *)rgbe_scan, sizeof(RGBE), width, file) - width; MEM_freeN(rgbe_scan); return x; } @@ -332,8 +330,8 @@ static int fwritecolrs(FILE *file, int width, int channels, unsigned char *ibufs putc((unsigned char)(width >> 8), file); putc((unsigned char)(width & 255), file); /* put components separately */ - for (i = 0; i < 4; i++) { - for (j = 0; j < width; j += cnt) { /* find next run */ + for (size_t i = 0; i < 4; i++) { + for (size_t j = 0; j < width; j += cnt) { /* find next run */ for (beg = j; beg < width; beg += cnt) { for (cnt = 1; (cnt < 127) && ((beg + cnt) < width) && (rgbe_scan[beg + cnt][i] == rgbe_scan[beg][i]); cnt++) ; if (cnt >= MINRUN) break; /* long enough */ @@ -386,7 +384,7 @@ int imb_savehdr(struct ImBuf *ibuf, const char *name, int flags) { FILE *file = BLI_fopen(name, "wb"); float *fp = NULL; - int y, width = ibuf->x, height = ibuf->y; + size_t width = ibuf->x, height = ibuf->y; unsigned char *cp = NULL; (void)flags; /* unused */ @@ -402,7 +400,7 @@ int imb_savehdr(struct ImBuf *ibuf, const char *name, int flags) if (ibuf->rect_float) fp = ibuf->rect_float + ibuf->channels * (height - 1) * width; - for (y = height - 1; y >= 0; y--) { + for (size_t y = height - 1; y >= 0; y--) { if (fwritecolrs(file, width, ibuf->channels, cp, fp) < 0) { fclose(file); printf("HDR write error\n"); diff --git a/source/blender/imbuf/intern/tiff.c b/source/blender/imbuf/intern/tiff.c index 98aa7c5353b..afd28bb570b 100644 --- a/source/blender/imbuf/intern/tiff.c +++ b/source/blender/imbuf/intern/tiff.c @@ -376,7 +376,7 @@ static void imb_read_tiff_resolution(ImBuf *ibuf, TIFF *image) */ static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image) { - ImBuf *tmpibuf; + ImBuf *tmpibuf = NULL; int success = 0; short bitspersample, spp, config; size_t scanline; @@ -412,16 +412,25 @@ static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image) if (bitspersample == 32) { ib_flag = IB_rectfloat; fbuf = (float *)_TIFFmalloc(scanline); + if (!fbuf) { + goto cleanup; + } } else if (bitspersample == 16) { ib_flag = IB_rectfloat; sbuf = (unsigned short *)_TIFFmalloc(scanline); + if (!sbuf) { + goto cleanup; + } } else { ib_flag = IB_rect; } tmpibuf = IMB_allocImBuf(ibuf->x, ibuf->y, ibuf->planes, ib_flag); + if (!tmpibuf) { + goto cleanup; + } /* simple RGBA image */ if (!(bitspersample == 32 || bitspersample == 16)) { @@ -430,7 +439,7 @@ static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image) /* contiguous channels: RGBRGBRGB */ else if (config == PLANARCONFIG_CONTIG) { for (row = 0; row < ibuf->y; row++) { - int ib_offset = ibuf->x * ibuf->y * 4 - ibuf->x * 4 * (row + 1); + size_t ib_offset = (size_t)ibuf->x * 4 * ((size_t)ibuf->y - ((size_t)row + 1)); if (bitspersample == 32) { success |= TIFFReadScanline(image, fbuf, row, 0); @@ -450,7 +459,7 @@ static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image) * but only fill in from the TIFF scanline where necessary. */ for (chan = 0; chan < 4; chan++) { for (row = 0; row < ibuf->y; row++) { - int ib_offset = ibuf->x * ibuf->y * 4 - ibuf->x * 4 * (row + 1); + size_t ib_offset = (size_t)ibuf->x * 4 * ((size_t)ibuf->y - ((size_t)row + 1)); if (bitspersample == 32) { if (chan == 3 && spp == 3) /* fill alpha if only RGB TIFF */ @@ -475,11 +484,6 @@ static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image) } } } - - if (bitspersample == 32) - _TIFFfree(fbuf); - else if (bitspersample == 16) - _TIFFfree(sbuf); if (success) { /* Code seems to be not needed for 16 bits tif, on PPC G5 OSX (ton) */ @@ -498,6 +502,12 @@ static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image) tmpibuf->mall &= ~ib_flag; } +cleanup: + if (bitspersample == 32) + _TIFFfree(fbuf); + else if (bitspersample == 16) + _TIFFfree(sbuf); + IMB_freeImBuf(tmpibuf); return success; -- cgit v1.2.3