From c30b1e72dac76343ef9029833d1561de07d29bad Mon Sep 17 00:00:00 2001 From: DRC Date: Tue, 12 Nov 2019 12:27:22 -0600 Subject: [PATCH] 64-bit tjbench: Fix signed int overflow/segfault ... that occurred when attempting to decompress images with more than 715827882 (2048*1024*1024 / 3) pixels. Fixes #388 --- ChangeLog.md | 4 ++++ tjbench.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 4d6960f3..da160f0f 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -8,6 +8,10 @@ 64-bit libjpeg-turbo SDK for Visual C++ were installed on the same system, only one of them could be uninstalled. +2. Fixed a signed integer overflow and subsequent segfault that occurred when +attempting to decompress images with more than 715827882 pixels using the +64-bit C version of TJBench. + 2.0.3 ===== diff --git a/tjbench.c b/tjbench.c index a7d39731..13a5bde6 100644 --- a/tjbench.c +++ b/tjbench.c @@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf, } /* Set the destination buffer to gray so we know whether the decompressor attempted to write to it */ - memset(dstBuf, 127, pitch * scaledh); + memset(dstBuf, 127, (size_t)pitch * scaledh); if (doYUV) { int width = doTile ? tilew : scaledw; @@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf, double start = getTime(); for (row = 0, dstPtr = dstBuf; row < ntilesh; - row++, dstPtr += pitch * tileh) { + row++, dstPtr += (size_t)pitch * tileh) { for (col = 0, dstPtr2 = dstPtr; col < ntilesw; col++, tile++, dstPtr2 += ps * tilew) { int width = doTile ? min(tilew, w - col * tilew) : scaledw;