1 diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c 2 index e612d06..d515798 100644 3 --- a/third_party/libopenjpeg20/j2k.c 4 +++ b/third_party/libopenjpeg20/j2k.c 5 @@ -8148,11 +8148,16 @@ static OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, 6 7 /* Allocate output component buffer if necessary */ 8 if (!l_img_comp_dest->data) { 9 - 10 - l_img_comp_dest->data = (OPJ_INT32*) opj_calloc((OPJ_SIZE_T)l_img_comp_dest->w * (OPJ_SIZE_T)l_img_comp_dest->h, sizeof(OPJ_INT32)); 11 - if (! l_img_comp_dest->data) { 12 - return OPJ_FALSE; 13 - } 14 + OPJ_UINT32 width = l_img_comp_dest->w; 15 + OPJ_UINT32 height = l_img_comp_dest->h; 16 + const OPJ_UINT32 MAX_SIZE = UINT32_MAX / sizeof(OPJ_INT32); 17 + if (height == 0 || width > MAX_SIZE / height) { 18 + return OPJ_FALSE; 19 + } 20 + l_img_comp_dest->data = (OPJ_INT32*)opj_calloc(width * height, sizeof(OPJ_INT32)); 21 + if (!l_img_comp_dest->data) { 22 + return OPJ_FALSE; 23 + } 24 } 25 26 /* Copy info from decoded comp image to output image */ 27
