diff -Naur blender-2.68a-original/source/blender/avi/CMakeLists.txt blender-2.68a/source/blender/avi/CMakeLists.txt
--- blender-2.68a-original/source/blender/avi/CMakeLists.txt 2012-10-07 02:27:31.000000000 -0400
+++ blender-2.68a/source/blender/avi/CMakeLists.txt 2022-04-04 07:18:55.810153370 -0400
@@ -26,6 +26,7 @@
set(INC
.
../blenlib
+ ../imbuf
../../../intern/guardedalloc
)
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi.c blender-2.68a/source/blender/avi/intern/avi.c
--- blender-2.68a-original/source/blender/avi/intern/avi.c 2013-05-28 15:35:26.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi.c 2022-04-04 08:51:43.768676218 -0400
@@ -285,13 +285,15 @@
fseek(movie.fp, movie.header->size - 14 * 4, SEEK_CUR);
- if (movie.header->Streams < 1) {
- DEBUG_PRINT("streams less than 1\n");
+ /* Limit number of streams to some reasonable amount to prevent
+ * buffer oveflow vulnerabilities. */
+ if (movie.header->Streams < 1 || movie.header->Streams > 65536) {
+ DEBUG_PRINT("Number of streams should be in range 1-65536\n");
fclose(movie.fp);
return 0;
}
- movie.streams = (AviStreamRec *) MEM_callocN(sizeof(AviStreamRec) * movie.header->Streams, "moviestreams");
+ movie.streams = (AviStreamRec *) MEM_calloc_arrayN(movie.header->Streams, sizeof(AviStreamRec), "moviestreams");
for (temp = 0; temp < movie.header->Streams; temp++) {
@@ -486,12 +488,14 @@
fseek(movie->fp, movie->header->size - 14 * 4, SEEK_CUR);
- if (movie->header->Streams < 1) {
- DEBUG_PRINT("streams less than 1\n");
+ /* Limit number of streams to some reasonable amount to prevent
+ * buffer oveflow vulnerabilities. */
+ if (movie->header->Streams < 1 || movie->header->Streams > 65536) {
+ DEBUG_PRINT("Number of streams should be in range 1-65536\n");
return AVI_ERROR_FORMAT;
}
- movie->streams = (AviStreamRec *) MEM_callocN(sizeof(AviStreamRec) * movie->header->Streams, "moviestreams");
+ movie->streams = (AviStreamRec *) MEM_calloc_arrayN(movie->header->Streams, sizeof(AviStreamRec), "moviestreams");
for (temp = 0; temp < movie->header->Streams; temp++) {
@@ -689,7 +693,8 @@
void *AVI_read_frame(AviMovie *movie, AviFormat format, int frame, int stream)
{
- int cur_frame = -1, temp, i = 0, rewind = 1;
+ int cur_frame = -1, i = 0, rewind = 1;
+ size_t size;
void *buffer;
/* Retrieve the record number of the desired frame in the index
@@ -720,16 +725,16 @@
fseek(movie->fp, movie->read_offset + movie->entries[i - 1].Offset, SEEK_SET);
- temp = GET_FCC(movie->fp);
- buffer = MEM_mallocN(temp, "readbuffer");
+ size = GET_FCC(movie->fp);
+ buffer = MEM_mallocN(size, "readbuffer");
- if (fread(buffer, 1, temp, movie->fp) != temp) {
+ if (fread(buffer, 1, size, movie->fp) != size) {
MEM_freeN(buffer);
return NULL;
}
- buffer = avi_format_convert(movie, stream, buffer, movie->streams[stream].format, format, &temp);
+ buffer = avi_format_convert(movie, stream, buffer, movie->streams[stream].format, format, &size);
return buffer;
}
@@ -801,6 +806,13 @@
movie->header->Reserved[2] = 0;
movie->header->Reserved[3] = 0;
+ /* Limit number of streams to some reasonable amount to prevent
+ * buffer oveflow vulnerabilities. */
+ if (movie->header->Streams < 0 || movie->header->Streams > 65536) {
+ DEBUG_PRINT("Number of streams should be in range 0-65536\n");
+ return AVI_ERROR_FORMAT;
+ }
+
movie->streams = (AviStreamRec *) MEM_mallocN(sizeof(AviStreamRec) * movie->header->Streams, "moviestreams");
va_start(ap, streams);
@@ -962,7 +974,6 @@
int64_t rec_off;
AviFormat format;
void *buffer;
- int size;
if (frame_num < 0)
return AVI_ERROR_OPTION;
@@ -993,6 +1004,7 @@
for (stream = 0; stream < movie->header->Streams; stream++) {
unsigned int tbuf = 0;
+ size_t size;
format = va_arg(ap, AviFormat);
buffer = va_arg(ap, void *);
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_codecs.c blender-2.68a/source/blender/avi/intern/avi_codecs.c
--- blender-2.68a-original/source/blender/avi/intern/avi_codecs.c 2012-10-07 02:27:31.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi_codecs.c 2022-04-04 07:23:09.248184710 -0400
@@ -39,7 +39,7 @@
#include "avi_mjpeg.h"
#include "avi_rgb32.h"
-void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, int *size)
+void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, size_t *size)
{
if (from == to)
return buffer;
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_intern.h blender-2.68a/source/blender/avi/intern/avi_intern.h
--- blender-2.68a-original/source/blender/avi/intern/avi_intern.h 2013-04-17 21:52:38.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi_intern.h 2022-04-04 07:23:24.235363969 -0400
@@ -59,7 +59,7 @@
putc(ch2[1], fp); \
} (void)0
-void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, int *size);
+void *avi_format_convert(AviMovie *movie, int stream, void *buffer, AviFormat from, AviFormat to, size_t *size);
int avi_get_data_id(AviFormat format, int stream);
int avi_get_format_type(AviFormat format);
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_mjpeg.c blender-2.68a/source/blender/avi/intern/avi_mjpeg.c
--- blender-2.68a-original/source/blender/avi/intern/avi_mjpeg.c 2012-12-23 08:57:09.000000000 -0500
+++ blender-2.68a/source/blender/avi/intern/avi_mjpeg.c 2022-04-04 14:04:29.614968727 -0400
@@ -39,6 +39,8 @@
#include "MEM_guardedalloc.h"
+#include "IMB_imbuf.h"
+
#include "jpeglib.h"
#include "jerror.h"
@@ -46,10 +48,10 @@
#define PADUP(num, amt) ((num + (amt - 1)) & ~(amt - 1))
-static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, int bufsize);
-static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, int bufsize);
+static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, size_t bufsize);
+static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, size_t bufsize);
-static int numbytes;
+static size_t numbytes;
static void add_huff_table(j_decompress_ptr dinfo, JHUFF_TBL **htblptr, const UINT8 *bits, const UINT8 *val)
{
@@ -153,10 +155,9 @@
bits_ac_chrominance, val_ac_chrominance);
}
-static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsigned int width, unsigned int height, int bufsize)
+static int Decode_JPEG(unsigned char *inBuffer, unsigned char *outBuffer, unsigned int width, unsigned int height, size_t bufsize)
{
- int rowstride;
- unsigned int y;
+ size_t rowstride, y;
struct jpeg_decompress_struct dinfo;
struct jpeg_error_mgr jerr;
@@ -206,10 +207,10 @@
return 1;
}
-static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned char *inBuffer, int width, int height, int bufsize)
+static void Compress_JPEG(int quality, unsigned char *outbuffer, const unsigned char *inBuffer, int width, int height, size_t bufsize)
{
- int i, rowstride;
- unsigned int y;
+ int i;
+ size_t rowstride, y;
struct jpeg_compress_struct cinfo;
struct jpeg_error_mgr jerr;
unsigned char marker[60];
@@ -270,7 +271,7 @@
static void interlace(unsigned char *to, unsigned char *from, int width, int height)
{
- int i, rowstride = width * 3;
+ size_t i, rowstride = width * 3;
for (i = 0; i < height; i++) {
if (i & 1)
@@ -282,7 +283,7 @@
static void deinterlace(int odd, unsigned char *to, unsigned char *from, int width, int height)
{
- int i, rowstride = width * 3;
+ size_t i, rowstride = width * 3;
for (i = 0; i < height; i++) {
if ((i & 1) == odd)
@@ -346,22 +347,27 @@
}
}
-void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size)
+void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size)
{
int deint;
unsigned char *buf;
(void)stream; /* unused */
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_from_mjpeg 1");
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_from_mjpeg 1");
+ if (!buf) {
+ return NULL;
+ }
deint = check_and_decode_jpeg(buffer, buf, movie->header->Width, movie->header->Height, *size);
MEM_freeN(buffer);
if (deint) {
- buffer = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_from_mjpeg 2");
- interlace(buffer, buf, movie->header->Width, movie->header->Height);
+ buffer = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_from_mjpeg 2");
+ if (buffer) {
+ interlace(buffer, buf, movie->header->Width, movie->header->Height);
+ }
MEM_freeN(buf);
buf = buffer;
@@ -370,43 +376,50 @@
return buf;
}
-void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size)
+void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size)
{
unsigned char *buf;
- int bufsize = *size;
+ size_t bufsize = *size;
numbytes = 0;
*size = 0;
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_to_mjpeg 1");
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_to_mjpeg 1");
+ if (!buf) {
+ return NULL;
+ }
+
if (!movie->interlace) {
check_and_compress_jpeg(movie->streams[stream].sh.Quality / 100,
buf, buffer,
movie->header->Width,
movie->header->Height,
bufsize);
+ *size += numbytes;
}
else {
deinterlace(movie->odd_fields, buf, buffer, movie->header->Width, movie->header->Height);
MEM_freeN(buffer);
buffer = buf;
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "avi.avi_converter_to_mjpeg 2");
-
- check_and_compress_jpeg(movie->streams[stream].sh.Quality / 100,
- buf, buffer,
- movie->header->Width,
- movie->header->Height / 2,
- bufsize / 2);
- *size += numbytes;
- numbytes = 0;
- check_and_compress_jpeg(movie->streams[stream].sh.Quality / 100,
- buf + *size, buffer + (movie->header->Height / 2) * movie->header->Width * 3,
- movie->header->Width,
- movie->header->Height / 2,
- bufsize / 2);
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "avi.avi_converter_to_mjpeg 1");
+
+ if (buf) {
+ Compress_JPEG(movie->streams[stream].sh.Quality / 100,
+ buf, buffer,
+ movie->header->Width,
+ movie->header->Height / 2,
+ bufsize / 2);
+ *size += numbytes;
+ numbytes = 0;
+ Compress_JPEG(movie->streams[stream].sh.Quality / 100,
+ buf + *size, buffer + (size_t)(movie->header->Height / 2) * (size_t)movie->header->Width * 3,
+ movie->header->Width,
+ movie->header->Height / 2,
+ bufsize / 2);
+ *size += numbytes;
+ }
}
- *size += numbytes;
MEM_freeN(buffer);
return buf;
@@ -433,7 +446,7 @@
MEM_freeN(cinfo->dest);
}
-static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, int bufsize)
+static void jpegmemdestmgr_build(j_compress_ptr cinfo, unsigned char *buffer, size_t bufsize)
{
cinfo->dest = MEM_mallocN(sizeof(*(cinfo->dest)), "avi.jpegmemdestmgr_build");
@@ -486,7 +499,7 @@
MEM_freeN(dinfo->src);
}
-static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, int bufsize)
+static void jpegmemsrcmgr_build(j_decompress_ptr dinfo, unsigned char *buffer, size_t bufsize)
{
dinfo->src = MEM_mallocN(sizeof(*(dinfo->src)), "avi.jpegmemsrcmgr_build");
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_mjpeg.h blender-2.68a/source/blender/avi/intern/avi_mjpeg.h
--- blender-2.68a-original/source/blender/avi/intern/avi_mjpeg.h 2013-04-17 21:52:38.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi_mjpeg.h 2022-04-04 07:29:10.605507637 -0400
@@ -32,7 +32,7 @@
#ifndef __AVI_MJPEG_H__
#define __AVI_MJPEG_H__
-void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size);
-void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, int *size);
+void *avi_converter_from_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size);
+void *avi_converter_to_mjpeg(AviMovie *movie, int stream, unsigned char *buffer, size_t *size);
#endif /* __AVI_MJPEG_H__ */
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_rgb32.c blender-2.68a/source/blender/avi/intern/avi_rgb32.c
--- blender-2.68a-original/source/blender/avi/intern/avi_rgb32.c 2012-10-07 02:27:31.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi_rgb32.c 2022-04-04 08:59:10.860988656 -0400
@@ -37,23 +37,29 @@
#include "MEM_guardedalloc.h"
+#include "IMB_imbuf.h"
+
#include "AVI_avi.h"
#include "avi_rgb32.h"
-void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size)
+void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size)
{
- int y, x, rowstridea, rowstrideb;
+ size_t y, rowstridea, rowstrideb;
unsigned char *buf;
(void)stream; /* unused */
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromrgb32buf");
- *size = movie->header->Height * movie->header->Width * 3;
+ *size = (size_t)movie->header->Height * (size_t)movie->header->Width * 3;
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromrgb32buf");
+ if (!buf) {
+ return NULL;
+ }
rowstridea = movie->header->Width * 3;
rowstrideb = movie->header->Width * 4;
- for (y = 0; y < movie->header->Height; y++) {
+ for ( y = 0; y < movie->header->Height; y++) {
+ size_t x;
for (x = 0; x < movie->header->Width; x++) {
buf[y * rowstridea + x * 3 + 0] = buffer[y * rowstrideb + x * 4 + 3];
buf[y * rowstridea + x * 3 + 1] = buffer[y * rowstrideb + x * 4 + 2];
@@ -66,21 +72,24 @@
return buf;
}
-void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size)
+void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size)
{
- int i;
+ size_t i;
unsigned char *buf;
unsigned char *to, *from;
(void)stream; /* unused */
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 4, "torgb32buf");
- *size = movie->header->Height * movie->header->Width * 4;
+ *size = (size_t)movie->header->Height * (size_t)movie->header->Width * 4;
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "torgb32buf");
+ if (!buf) {
+ return NULL;
+ }
memset(buf, 255, *size);
to = buf; from = buffer;
- i = movie->header->Height * movie->header->Width;
+ i = (size_t)movie->header->Height * (size_t)movie->header->Width;
while (i--) {
memcpy(to, from, 3);
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_rgb32.h blender-2.68a/source/blender/avi/intern/avi_rgb32.h
--- blender-2.68a-original/source/blender/avi/intern/avi_rgb32.h 2012-10-07 02:27:31.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi_rgb32.h 2022-04-04 07:41:09.931118849 -0400
@@ -32,7 +32,7 @@
#ifndef __AVI_RGB32_H__
#define __AVI_RGB32_H__
-void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size);
-void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, int *size);
+void *avi_converter_from_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size);
+void *avi_converter_to_rgb32(AviMovie *movie, int stream, unsigned char *buffer, size_t *size);
#endif /* __AVI_RGB32_H__ */
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_rgb.c blender-2.68a/source/blender/avi/intern/avi_rgb.c
--- blender-2.68a-original/source/blender/avi/intern/avi_rgb.c 2012-11-17 21:41:55.000000000 -0500
+++ blender-2.68a/source/blender/avi/intern/avi_rgb.c 2022-04-04 13:54:10.675622194 -0400
@@ -40,11 +40,12 @@
#include "AVI_avi.h"
#include "avi_rgb.h"
+#include "IMB_imbuf.h"
+
/* implementation */
-void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size)
+void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size)
{
- int x, y, i, rowstride;
unsigned char *buf;
AviBitmapInfoHeader *bi;
short bits = 32;
@@ -60,33 +61,36 @@
#ifdef __BIG_ENDIAN__
unsigned char *pxla;
#endif
-
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromavirgbbuf");
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromavirgbbuf");
+
+ if (buf) {
+ size_t y = movie->header->Height;
+ to = buf;
- y = movie->header->Height;
- to = buf;
+ while (y--) {
+ size_t x;
+
+ pxl = (unsigned short *) (buffer + y * movie->header->Width * 2);
- while (y--) {
- pxl = (unsigned short *) (buffer + y * movie->header->Width * 2);
-
#ifdef __BIG_ENDIAN__
- pxla = (unsigned char *)pxl;
+ pxla = (unsigned char *)pxl;
#endif
- x = movie->header->Width;
- while (x--) {
+ x = movie->header->Width;
+ while (x--) {
#ifdef __BIG_ENDIAN__
- i = pxla[0];
- pxla[0] = pxla[1];
- pxla[1] = i;
-
- pxla += 2;
+ int i = pxla[0];
+ pxla[0] = pxla[1];
+ pxla[1] = i;
+
+ pxla += 2;
#endif
-
- *(to++) = ((*pxl >> 10) & 0x1f) * 8;
- *(to++) = ((*pxl >> 5) & 0x1f) * 8;
- *(to++) = (*pxl & 0x1f) * 8;
- pxl++;
+
+ *(to++) = ((*pxl >> 10) & 0x1f) * 8;
+ *(to++) = ((*pxl >> 5) & 0x1f) * 8;
+ *(to++) = (*pxl & 0x1f) * 8;
+ pxl++;
+ }
}
}
@@ -95,30 +99,33 @@
return buf;
}
else {
- buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromavirgbbuf");
-
- rowstride = movie->header->Width * 3;
- if ((bits != 16) && (movie->header->Width % 2)) rowstride++;
-
- for (y = 0; y < movie->header->Height; y++) {
- memcpy(&buf[y * movie->header->Width * 3], &buffer[((movie->header->Height - 1) - y) * rowstride], movie->header->Width * 3);
- }
+ buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromavirgbbuf");
- for (y = 0; y < movie->header->Height * movie->header->Width * 3; y += 3) {
- i = buf[y];
- buf[y] = buf[y + 2];
- buf[y + 2] = i;
+ if (buf) {
+ size_t y;
+ size_t rowstride = movie->header->Width * 3;
+ if ((bits != 16) && (movie->header->Width % 2)) rowstride++;
+
+ for (y = 0; y < movie->header->Height; y++) {
+ memcpy(&buf[y * movie->header->Width * 3], &buffer[((movie->header->Height - 1) - y) * rowstride], movie->header->Width * 3);
+ }
+
+ for (y = 0; y < (size_t)movie->header->Height * (size_t)movie->header->Width * 3; y += 3) {
+ int i = buf[y];
+ buf[y] = buf[y + 2];
+ buf[y + 2] = i;
+ }
}
-
+
MEM_freeN(buffer);
-
+
return buf;
}
}
-void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size)
+void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size)
{
- int y, x, i, rowstride;
+ size_t y, rowstride;
unsigned char *buf;
(void)stream; /* unused */
@@ -136,8 +143,9 @@
}
for (y = 0; y < movie->header->Height; y++) {
+ size_t x;
for (x = 0; x < movie->header->Width * 3; x += 3) {
- i = buf[y * rowstride + x];
+ int i = buf[y * rowstride + x];
buf[y * rowstride + x] = buf[y * rowstride + x + 2];
buf[y * rowstride + x + 2] = i;
}
diff -Naur blender-2.68a-original/source/blender/avi/intern/avi_rgb.h blender-2.68a/source/blender/avi/intern/avi_rgb.h
--- blender-2.68a-original/source/blender/avi/intern/avi_rgb.h 2012-10-07 02:27:31.000000000 -0400
+++ blender-2.68a/source/blender/avi/intern/avi_rgb.h 2022-04-04 07:36:15.196590519 -0400
@@ -32,7 +32,7 @@
#ifndef __AVI_RGB_H__
#define __AVI_RGB_H__
-void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size);
-void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size);
+void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size);
+void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size);
#endif /* __AVI_RGB_H__ */
diff -Naur blender-2.68a-original/source/blender/imbuf/IMB_imbuf.h blender-2.68a/source/blender/imbuf/IMB_imbuf.h
--- blender-2.68a-original/source/blender/imbuf/IMB_imbuf.h 2013-05-12 05:14:13.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/IMB_imbuf.h 2022-04-04 07:41:29.491353010 -0400
@@ -503,6 +503,12 @@
int IMB_metadata_change_field(struct ImBuf *img, const char *key, const char *field);
/* exported for image tools in blender, to quickly allocate 32 bits rect */
+void *imb_alloc_pixels(unsigned int x,
+ unsigned int y,
+ unsigned int channels,
+ size_t typesize,
+ const char *name);
+
short imb_addrectImBuf(struct ImBuf *ibuf);
void imb_freerectImBuf(struct ImBuf *ibuf);
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/allocimbuf.c blender-2.68a/source/blender/imbuf/intern/allocimbuf.c
--- blender-2.68a-original/source/blender/imbuf/intern/allocimbuf.c 2012-12-19 10:02:51.000000000 -0500
+++ blender-2.68a/source/blender/imbuf/intern/allocimbuf.c 2022-04-04 08:59:57.627543513 -0400
@@ -193,14 +193,11 @@
short addzbufImBuf(ImBuf *ibuf)
{
- int size;
-
if (ibuf == NULL) return FALSE;
IMB_freezbufImBuf(ibuf);
- size = ibuf->x * ibuf->y * sizeof(unsigned int);
- if ((ibuf->zbuf = MEM_mapallocN(size, "addzbufImBuf"))) {
+ if ((ibuf->zbuf = imb_alloc_pixels(ibuf->x, ibuf->y, 1, sizeof(unsigned int), "addzbufImBuf"))) {
ibuf->mall |= IB_zbuf;
ibuf->flags |= IB_zbuf;
return TRUE;
@@ -211,14 +208,11 @@
short addzbuffloatImBuf(ImBuf *ibuf)
{
- int size;
-
if (ibuf == NULL) return FALSE;
IMB_freezbuffloatImBuf(ibuf);
- size = ibuf->x * ibuf->y * sizeof(float);
- if ((ibuf->zbuf_float = MEM_mapallocN(size, "addzbuffloatImBuf"))) {
+ if ((ibuf->zbuf_float = imb_alloc_pixels(ibuf->x, ibuf->y, 1, sizeof(float), "addzbuffloatImBuf"))) {
ibuf->mall |= IB_zbuffloat;
ibuf->flags |= IB_zbuffloat;
return TRUE;
@@ -287,20 +281,34 @@
return TRUE;
}
+void *imb_alloc_pixels(unsigned int x,
+ unsigned int y,
+ unsigned int channels,
+ size_t typesize,
+ const char *name)
+{
+ size_t size;
+
+ /* Protect against buffer overflow vulnerabilities from files specifying
+ * a width and height that overflow and alloc too little memory. */
+ if (!((uint64_t)x * (uint64_t)y < (SIZE_MAX / (channels * typesize)))) {
+ return NULL;
+ }
+
+ size = (size_t)x * (size_t)y * (size_t)channels * typesize;
+ return MEM_mapallocN(size, name);
+}
+
short imb_addrectfloatImBuf(ImBuf *ibuf)
{
- int size;
-
if (ibuf == NULL) return FALSE;
if (ibuf->rect_float)
imb_freerectfloatImBuf(ibuf); /* frees mipmap too, hrm */
- size = ibuf->x * ibuf->y;
- size = size * 4 * sizeof(float);
ibuf->channels = 4;
- if ((ibuf->rect_float = MEM_mapallocN(size, "imb_addrectfloatImBuf"))) {
+ if ((ibuf->rect_float = imb_alloc_pixels(ibuf->x, ibuf->y, 4, sizeof(float), "imb_addrectfloatImBuf"))) {
ibuf->mall |= IB_rectfloat;
ibuf->flags |= IB_rectfloat;
return TRUE;
@@ -312,8 +320,6 @@
/* question; why also add zbuf? */
short imb_addrectImBuf(ImBuf *ibuf)
{
- int size;
-
if (ibuf == NULL) return FALSE;
/* don't call imb_freerectImBuf, it frees mipmaps, this call is used only too give float buffers display */
@@ -321,10 +327,7 @@
MEM_freeN(ibuf->rect);
ibuf->rect = NULL;
- size = ibuf->x * ibuf->y;
- size = size * sizeof(unsigned int);
-
- if ((ibuf->rect = MEM_mapallocN(size, "imb_addrectImBuf"))) {
+ if ((ibuf->rect = imb_alloc_pixels(ibuf->x, ibuf->y, 4, sizeof(unsigned char), "imb_addrectImBuf"))) {
ibuf->mall |= IB_rect;
ibuf->flags |= IB_rect;
if (ibuf->planes > 32) return (addzbufImBuf(ibuf));
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/bmp.c blender-2.68a/source/blender/imbuf/intern/bmp.c
--- blender-2.68a-original/source/blender/imbuf/intern/bmp.c 2013-03-17 06:26:23.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/intern/bmp.c 2022-04-04 09:04:24.666711767 -0400
@@ -125,7 +125,7 @@
{
struct ImBuf *ibuf = NULL;
BMPINFOHEADER bmi;
- int x, y, depth, skip, i;
+ int x, y, depth, skip;
unsigned char *bmp, *rect;
unsigned short col;
double xppm, yppm;
@@ -163,10 +163,15 @@
}
else {
ibuf = IMB_allocImBuf(x, y, depth, IB_rect);
+ if (!ibuf) {
+ return NULL;
+ }
+
bmp = mem + skip;
rect = (unsigned char *) ibuf->rect;
if (depth == 16) {
+ size_t i;
for (i = x * y; i > 0; i--) {
col = bmp[0] + (bmp[1] << 8);
rect[0] = ((col >> 10) & 0x1f) << 3;
@@ -179,8 +184,9 @@
}
else if (depth == 24) {
+ size_t i;
for (i = y; i > 0; i--) {
- int j;
+ size_t j;
for (j = x; j > 0; j--) {
rect[0] = bmp[2];
rect[1] = bmp[1];
@@ -194,6 +200,7 @@
}
}
else if (depth == 32) {
+ size_t i;
for (i = x * y; i > 0; i--) {
rect[0] = bmp[2];
rect[1] = bmp[1];
@@ -232,7 +239,7 @@
int imb_savebmp(struct ImBuf *ibuf, const char *name, int flags)
{
BMPINFOHEADER infoheader;
- int bytesize, extrabytes, x, y, t, ptr;
+ size_t bytesize, extrabytes, y, ptr;
uchar *data;
FILE *ofile;
@@ -265,6 +272,7 @@
/* Need to write out padded image data in bgr format */
for (y = 0; y < ibuf->y; y++) {
+ size_t x, t;
for (x = 0; x < ibuf->x; x++) {
ptr = (x + y * ibuf->x) * 4;
if (putc(data[ptr + 2], ofile) == EOF) return 0;
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/cineon/dpxlib.c blender-2.68a/source/blender/imbuf/intern/cineon/dpxlib.c
--- blender-2.68a-original/source/blender/imbuf/intern/cineon/dpxlib.c 2013-03-22 01:34:10.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/intern/cineon/dpxlib.c 2022-04-04 13:32:48.236366316 -0400
@@ -137,6 +137,7 @@
LogImageFile *dpx = (LogImageFile *)MEM_mallocN(sizeof(LogImageFile), __func__);
char *filename = (char *)byteStuff;
int i;
+ size_t max_elements;
if (dpx == NULL) {
if (verbose) printf("DPX: Failed to malloc dpx file structure.\n");
@@ -192,7 +193,8 @@
dpx->srcFormat = format_DPX;
dpx->numElements = swap_ushort(header.imageHeader.elements_per_image, dpx->isMSB);
- if (dpx->numElements == 0) {
+ max_elements = sizeof(header.imageHeader.element)/sizeof(header.imageHeader.element[0]);
+ if (dpx->numElements == 0 || dpx->numElements >= max_elements) {
if (verbose) printf("DPX: Wrong number of elements: %d\n", dpx->numElements);
logImageClose(dpx);
return NULL;
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/cineon/logImageCore.c blender-2.68a/source/blender/imbuf/intern/cineon/logImageCore.c
--- blender-2.68a-original/source/blender/imbuf/intern/cineon/logImageCore.c 2013-07-17 10:14:50.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/intern/cineon/logImageCore.c 2022-04-04 13:42:55.865601375 -0400
@@ -38,6 +38,8 @@
#include "BLI_fileops.h"
#include "BLI_utildefines.h"
+#include "IMB_imbuf.h"
+
#include "MEM_guardedalloc.h"
/*
@@ -162,7 +164,7 @@
* Helper
*/
-unsigned int getRowLength(int width, LogImageElement logElement)
+size_t getRowLength(size_t width, LogImageElement logElement)
{
/* return the row length in bytes according to width and packing method */
switch (logElement.bitsPerSample) {
@@ -202,7 +204,7 @@
float *elementData;
int returnValue;
- elementData = (float *)MEM_mallocN(logImage->width * logImage->height * logImage->depth * sizeof(float), __func__);
+ elementData = (float *)imb_alloc_pixels(logImage->width, logImage->height, logImage->depth, sizeof(float), __func__);
if (elementData == NULL)
return 1;
@@ -239,9 +241,9 @@
static int logImageSetData8(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned char *row;
- int x, y;
+ size_t y;
row = (unsigned char *)MEM_mallocN(rowLength, __func__);
if (row == NULL) {
@@ -251,6 +253,7 @@
memset(row, 0, rowLength);
for (y = 0; y < logImage->height; y++) {
+ size_t x;
for (x = 0; x < logImage->width * logImage->depth; x++)
row[x] = (unsigned char)float_uint(data[y * logImage->width * logImage->depth + x], 255);
@@ -266,10 +269,10 @@
static int logImageSetData10(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned int pixel, index;
unsigned int *row;
- int x, y, offset;
+ size_t y;
row = (unsigned int *)MEM_mallocN(rowLength, __func__);
if (row == NULL) {
@@ -278,7 +281,8 @@
}
for (y = 0; y < logImage->height; y++) {
- offset = 22;
+ size_t x;
+ int offset = 22;
index = 0;
pixel = 0;
@@ -308,9 +312,9 @@
static int logImageSetData12(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned short *row;
- int x, y;
+ size_t y;
row = (unsigned short *)MEM_mallocN(rowLength, __func__);
if (row == NULL) {
@@ -319,6 +323,7 @@
}
for (y = 0; y < logImage->height; y++) {
+ size_t x;
for (x = 0; x < logImage->width * logImage->depth; x++)
row[x] = swap_ushort(((unsigned short)float_uint(data[y * logImage->width * logImage->depth + x], 4095)) << 4, logImage->isMSB);
@@ -334,9 +339,9 @@
static int logImageSetData16(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned short *row;
- int x, y;
+ size_t y;
row = (unsigned short *)MEM_mallocN(rowLength, __func__);
if (row == NULL) {
@@ -345,6 +350,7 @@
}
for (y = 0; y < logImage->height; y++) {
+ size_t x;
for (x = 0; x < logImage->width * logImage->depth; x++)
row[x] = swap_ushort((unsigned short)float_uint(data[y * logImage->width * logImage->depth + x], 65535), logImage->isMSB);
@@ -382,7 +388,7 @@
/* descriptor_Depth and descriptor_Composite are not supported */
if (logImage->element[i].descriptor != descriptor_Depth && logImage->element[i].descriptor != descriptor_Composite) {
/* Allocate memory */
- elementData[i] = (float *)MEM_mallocN(logImage->width * logImage->height * logImage->element[i].depth * sizeof(float), __func__);
+ elementData[i] = imb_alloc_pixels(logImage->width, logImage->height, logImage->element[i].depth, sizeof(float), __func__);
if (elementData[i] == NULL) {
if (verbose) printf("DPX/Cineon: Cannot allocate memory for elementData[%d]\n.", i);
for (j = 0; j < i; j++)
@@ -530,7 +536,7 @@
}
}
- mergedData = (float *)MEM_mallocN(logImage->width * logImage->height * mergedElement.depth * sizeof(float), __func__);
+ mergedData = (float *)imb_alloc_pixels(logImage->width, logImage->height, mergedElement.depth, sizeof(float), __func__);
if (mergedData == NULL) {
if (verbose) printf("DPX/Cineon: Cannot allocate mergedData.\n");
for (i = 0; i < logImage->numElements; i++)
@@ -590,7 +596,7 @@
static int logImageElementGetData1(LogImageFile *logImage, LogImageElement logElement, float *data)
{
unsigned int pixel;
- int x, y, offset;
+ size_t y;
/* seek at the right place */
if (logimage_fseek(logImage, logElement.dataOffset, SEEK_SET) != 0) {
@@ -600,7 +606,9 @@
/* read 1 bit data padded to 32 bits */
for (y = 0; y < logImage->height; y++) {
+ size_t x;
for (x = 0; x < logImage->width * logElement.depth; x += 32) {
+ int offset;
if (logimage_read_uint(&pixel, logImage) != 0) {
if (verbose) printf("DPX/Cineon: EOF reached\n");
return 1;
@@ -615,15 +623,16 @@
static int logImageElementGetData8(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned char pixel;
- int x, y;
+ size_t y;
/* extract required pixels */
for (y = 0; y < logImage->height; y++) {
+ size_t x;
/* 8 bits are 32-bits padded so we need to seek at each row */
if (logimage_fseek(logImage, logElement.dataOffset + y * rowLength, SEEK_SET) != 0) {
- if (verbose) printf("DPX/Cineon: Couldn't seek at %d\n", logElement.dataOffset + y * rowLength);
+ if (verbose) printf("DPX/Cineon: Couldn't seek at %d\n", (int)(logElement.dataOffset + y * rowLength));
return 1;
}
@@ -641,7 +650,6 @@
static int logImageElementGetData10(LogImageFile *logImage, LogImageElement logElement, float *data)
{
unsigned int pixel;
- int x, y, offset;
/* seek to data */
if (logimage_fseek(logImage, logElement.dataOffset, SEEK_SET) != 0) {
@@ -650,8 +658,10 @@
}
if (logImage->depth == 1 && logImage->srcFormat == format_DPX) {
+ size_t y;
for (y = 0; y < logImage->height; y++) {
- offset = 32;
+ int offset = 32;
+ size_t x;
for (x = 0; x < logImage->width * logElement.depth; x++) {
/* we need to read the next long */
if (offset >= 30) {
@@ -672,8 +682,10 @@
}
}
else {
+ size_t y;
for (y = 0; y < logImage->height; y++) {
- offset = -1;
+ int offset = -1;
+ size_t x;
for (x = 0; x < logImage->width * logElement.depth; x++) {
/* we need to read the next long */
if (offset < 0) {
@@ -699,15 +711,18 @@
static int logImageElementGetData10Packed(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned int pixel, oldPixel;
- int offset, offset2, x, y;
+ size_t y;
/* converting bytes to pixels */
for (y = 0; y < logImage->height; y++) {
+ int offset, offset2;
+ size_t x;
+
/* seek to data */
if (logimage_fseek(logImage, y * rowLength + logElement.dataOffset, SEEK_SET) != 0) {
- if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", y * rowLength + logElement.dataOffset);
+ if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", (int)(y * rowLength + logElement.dataOffset));
return 1;
}
@@ -778,15 +793,18 @@
static int logImageElementGetData12Packed(LogImageFile *logImage, LogImageElement logElement, float *data)
{
- unsigned int rowLength = getRowLength(logImage->width, logElement);
+ size_t rowLength = getRowLength(logImage->width, logElement);
unsigned int pixel, oldPixel;
- int offset, offset2, x, y;
+ size_t y;
/* converting bytes to pixels */
for (y = 0; y < logImage->height; y++) {
+ int offset, offset2;
+ size_t x;
+
/* seek to data */
if (logimage_fseek(logImage, y * rowLength + logElement.dataOffset, SEEK_SET) != 0) {
- if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", y * rowLength + logElement.dataOffset);
+ if (verbose) printf("DPX/Cineon: Couldn't seek at %u\n", (int)(y * rowLength + logElement.dataOffset));
return 1;
}
@@ -1115,7 +1133,7 @@
case transfer_UserDefined:
case transfer_Linear:
case transfer_Logarithmic: {
- memcpy(dst, src, 4 * logImage->width * logImage->height * sizeof(float));
+ memcpy(dst, src, 4 * (size_t)logImage->width * (size_t)logImage->height * sizeof(float));
return 0;
}
@@ -1430,11 +1448,11 @@
if (srcIsLinearRGB != 0) {
/* we need to convert src to sRGB */
- srgbSrc = (float *)MEM_mallocN(4 * logImage->width * logImage->height * sizeof(float), __func__);
+ srgbSrc = (float *)imb_alloc_pixels(logImage->width, logImage->height, 4, sizeof(float), __func__);
if (srgbSrc == NULL)
return 1;
- memcpy(srgbSrc, src, 4 * logImage->width * logImage->height * sizeof(float));
+ memcpy(srgbSrc, src, 4 * (size_t)logImage->width * (size_t)logImage->height * sizeof(float));
srgbSrc_ptr = srgbSrc;
/* convert data from Linear RGB to sRGB via lut */
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/cineon/logImageCore.h blender-2.68a/source/blender/imbuf/intern/cineon/logImageCore.h
--- blender-2.68a-original/source/blender/imbuf/intern/cineon/logImageCore.h 2013-05-28 15:35:26.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/intern/cineon/logImageCore.h 2022-04-04 08:08:50.270987726 -0400
@@ -198,7 +198,7 @@
void logImageClose(LogImageFile *logImage);
/* Data handling */
-unsigned int getRowLength(int width, LogImageElement logElement);
+size_t getRowLength(size_t width, LogImageElement logElement);
int logImageSetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB);
int logImageGetDataRGBA(LogImageFile *logImage, float *data, int dataIsLinearRGB);
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/iris.c blender-2.68a/source/blender/imbuf/intern/iris.c
--- blender-2.68a-original/source/blender/imbuf/intern/iris.c 2013-03-04 22:17:46.000000000 -0500
+++ blender-2.68a/source/blender/imbuf/intern/iris.c 2022-04-04 09:12:38.122566058 -0400
@@ -260,7 +260,6 @@
unsigned int *starttab, *lengthtab;
FILE *inf = NULL;
IMAGE image;
- int x, y, z, tablen;
int xsize, ysize, zsize;
int bpp, rle, cur, badorder;
ImBuf *ibuf;
@@ -301,8 +300,8 @@
}
if (rle) {
-
- tablen = ysize * zsize * sizeof(int);
+ size_t y;
+ size_t tablen = (size_t)ysize * (size_t)zsize * sizeof(int);
starttab = (unsigned int *)MEM_mallocN(tablen, "iris starttab");
lengthtab = (unsigned int *)MEM_mallocN(tablen, "iris endtab");
file_offset = 512;
@@ -314,6 +313,7 @@
cur = 0;
badorder = 0;
for (y = 0; y < ysize; y++) {
+ size_t z;
for (z = 0; z < zsize; z++) {
if (starttab[y + z * ysize] < cur) {
badorder = 1;
@@ -328,11 +328,15 @@
if (bpp == 1) {
ibuf = IMB_allocImBuf(xsize, ysize, 8 * zsize, IB_rect);
+ if (!ibuf) {
+ goto fail_rle;
+ }
if (ibuf->planes > 32) ibuf->planes = 32;
base = ibuf->rect;
zbase = (unsigned int *)ibuf->zbuf;
if (badorder) {
+ size_t z;
for (z = 0; z < zsize; z++) {
lptr = base;
for (y = 0; y < ysize; y++) {
@@ -350,6 +354,7 @@
lptr = base;
zptr = zbase;
for (y = 0; y < ysize; y++) {
+ size_t z;
for (z = 0; z < zsize; z++) {
@@ -371,10 +376,14 @@
else { /* bpp == 2 */
ibuf = IMB_allocImBuf(xsize, ysize, 32, (flags & IB_rect) | IB_rectfloat);
-
+ if (!ibuf) {
+ goto fail_rle;
+ }
+
fbase = ibuf->rect_float;
if (badorder) {
+ size_t z;
for (z = 0; z < zsize; z++) {
fptr = fbase;
for (y = 0; y < ysize; y++) {
@@ -392,6 +401,7 @@
fptr = fbase;
for (y = 0; y < ysize; y++) {
+ size_t z;
for (z = 0; z < zsize; z++) {
@@ -408,14 +418,22 @@
}
}
+fail_rle:
MEM_freeN(starttab);
MEM_freeN(lengthtab);
+ if (!ibuf) {
+ return NULL;
+ }
}
else {
if (bpp == 1) {
+ size_t z;
ibuf = IMB_allocImBuf(xsize, ysize, 8 * zsize, IB_rect);
+ if (!ibuf) {
+ goto fail_uncompressed;
+ }
if (ibuf->planes > 32) ibuf->planes = 32;
base = ibuf->rect;
@@ -425,6 +443,7 @@
rledat = file_data + file_offset;
for (z = 0; z < zsize; z++) {
+ size_t y;
if (z < 4) lptr = base;
else if (z < 8) lptr = zbase;
@@ -440,8 +459,12 @@
}
else { /* bpp == 2 */
+ size_t z;
ibuf = IMB_allocImBuf(xsize, ysize, 32, (flags & IB_rect) | IB_rectfloat);
+ if (!ibuf) {
+ goto fail_uncompressed;
+ }
fbase = ibuf->rect_float;
@@ -449,6 +472,7 @@
rledat = file_data + file_offset;
for (z = 0; z < zsize; z++) {
+ size_t y;
fptr = fbase;
@@ -462,6 +486,10 @@
}
}
+fail_uncompressed:
+ if (!ibuf) {
+ return NULL;
+ }
}
@@ -469,8 +497,9 @@
uchar *rect;
if (image.zsize == 1) {
+ size_t x;
rect = (uchar *) ibuf->rect;
- for (x = ibuf->x * ibuf->y; x > 0; x--) {
+ for (x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) {
rect[0] = 255;
rect[1] = rect[2] = rect[3];
rect += 4;
@@ -478,8 +507,9 @@
}
else if (image.zsize == 2) {
/* grayscale with alpha */
+ size_t x;
rect = (uchar *) ibuf->rect;
- for (x = ibuf->x * ibuf->y; x > 0; x--) {
+ for (x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) {
rect[0] = rect[2];
rect[1] = rect[2] = rect[3];
rect += 4;
@@ -487,8 +517,9 @@
}
else if (image.zsize == 3) {
/* add alpha */
+ size_t x;
rect = (uchar *) ibuf->rect;
- for (x = ibuf->x * ibuf->y; x > 0; x--) {
+ for (x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) {
rect[0] = 255;
rect += 4;
}
@@ -498,8 +529,9 @@
else { /* bpp == 2 */
if (image.zsize == 1) {
+ size_t x;
fbase = ibuf->rect_float;
- for (x = ibuf->x * ibuf->y; x > 0; x--) {
+ for (x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) {
fbase[0] = 1;
fbase[1] = fbase[2] = fbase[3];
fbase += 4;
@@ -507,8 +539,9 @@
}
else if (image.zsize == 2) {
/* grayscale with alpha */
+ size_t x;
fbase = ibuf->rect_float;
- for (x = ibuf->x * ibuf->y; x > 0; x--) {
+ for (x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) {
fbase[0] = fbase[2];
fbase[1] = fbase[2] = fbase[3];
fbase += 4;
@@ -516,8 +549,9 @@
}
else if (image.zsize == 3) {
/* add alpha */
+ size_t x;
fbase = ibuf->rect_float;
- for (x = ibuf->x * ibuf->y; x > 0; x--) {
+ for (x = (size_t)ibuf->x * (size_t)ibuf->y; x > 0; x--) {
fbase[0] = 1;
fbase += 4;
}
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/png.c blender-2.68a/source/blender/imbuf/intern/png.c
--- blender-2.68a-original/source/blender/imbuf/intern/png.c 2013-05-29 07:49:39.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/intern/png.c 2022-04-04 09:56:49.601984192 -0400
@@ -499,7 +499,7 @@
unsigned char *from, *to;
unsigned short *from16;
float *to_float;
- int i, bytesperpixel;
+ unsigned int channels;
if (imb_is_a_png(mem) == 0) return(NULL);
@@ -542,7 +542,7 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth,
&color_type, NULL, NULL, NULL);
- bytesperpixel = png_get_channels(png_ptr, info_ptr);
+ channels = png_get_channels(png_ptr, info_ptr);
switch (color_type) {
case PNG_COLOR_TYPE_RGB:
@@ -551,10 +551,10 @@
case PNG_COLOR_TYPE_PALETTE:
png_set_palette_to_rgb(png_ptr);
if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) {
- bytesperpixel = 4;
+ channels = 4;
}
else {
- bytesperpixel = 3;
+ channels = 3;
}
break;
case PNG_COLOR_TYPE_GRAY:
@@ -569,7 +569,7 @@
longjmp(png_jmpbuf(png_ptr), 1);
}
- ibuf = IMB_allocImBuf(width, height, 8 * bytesperpixel, 0);
+ ibuf = IMB_allocImBuf(width, height, 8 * channels, 0);
if (ibuf) {
ibuf->ftype = PNG;
@@ -593,17 +593,19 @@
if (ibuf && ((flags & IB_test) == 0)) {
if (bit_depth == 16) {
+ size_t i;
+
imb_addrectfloatImBuf(ibuf);
png_set_swap(png_ptr);
- pixels16 = MEM_mallocN(ibuf->x * ibuf->y * bytesperpixel * sizeof(png_uint_16), "pixels");
- if (pixels16 == NULL) {
+ pixels16 = imb_alloc_pixels(ibuf->x, ibuf->y, channels, sizeof(png_uint_16), "pixels");
+ if (pixels16 == NULL || ibuf->rect_float == NULL) {
printf("Cannot allocate pixels array\n");
longjmp(png_jmpbuf(png_ptr), 1);
}
/* allocate memory for an array of row-pointers */
- row_pointers = (png_bytepp) MEM_mallocN(ibuf->y * sizeof(png_uint_16p), "row_pointers");
+ row_pointers = (png_bytepp) MEM_mallocN((size_t)ibuf->y * sizeof(png_uint_16p), "row_pointers");
if (row_pointers == NULL) {
printf("Cannot allocate row-pointers array\n");
longjmp(png_jmpbuf(png_ptr), 1);
@@ -612,7 +614,7 @@
/* set the individual row-pointers to point at the correct offsets */
for (i = 0; i < ibuf->y; i++) {
row_pointers[ibuf->y - 1 - i] = (png_bytep)
- ((png_uint_16 *)pixels16 + (i * ibuf->x) * bytesperpixel);
+ ((png_uint_16 *)pixels16 + (i * ibuf->x) * channels);
}
png_read_image(png_ptr, row_pointers);
@@ -622,9 +624,9 @@
to_float = ibuf->rect_float;
from16 = pixels16;
- switch (bytesperpixel) {
+ switch (channels) {
case 4:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to_float[0] = from16[0] / 65535.0;
to_float[1] = from16[1] / 65535.0;
to_float[2] = from16[2] / 65535.0;
@@ -633,7 +635,7 @@
}
break;
case 3:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to_float[0] = from16[0] / 65535.0;
to_float[1] = from16[1] / 65535.0;
to_float[2] = from16[2] / 65535.0;
@@ -642,14 +644,14 @@
}
break;
case 2:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to_float[0] = to_float[1] = to_float[2] = from16[0] / 65535.0;
to_float[3] = from16[1] / 65535.0;
to_float += 4; from16 += 2;
}
break;
case 1:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to_float[0] = to_float[1] = to_float[2] = from16[0] / 65535.0;
to_float[3] = 1.0;
to_float += 4; from16++;
@@ -658,25 +660,28 @@
}
}
else {
+ size_t i;
+ int ri;
+
imb_addrectImBuf(ibuf);
- pixels = MEM_mallocN(ibuf->x * ibuf->y * bytesperpixel * sizeof(unsigned char), "pixels");
- if (pixels == NULL) {
+ pixels = imb_alloc_pixels(ibuf->x, ibuf->y, channels, sizeof(unsigned char), "pixels");
+ if (pixels == NULL || ibuf->rect == NULL) {
printf("Cannot allocate pixels array\n");
longjmp(png_jmpbuf(png_ptr), 1);
}
/* allocate memory for an array of row-pointers */
- row_pointers = (png_bytepp) MEM_mallocN(ibuf->y * sizeof(png_bytep), "row_pointers");
+ row_pointers = (png_bytepp) MEM_mallocN((size_t)ibuf->y * sizeof(png_bytep), "row_pointers");
if (row_pointers == NULL) {
printf("Cannot allocate row-pointers array\n");
longjmp(png_jmpbuf(png_ptr), 1);
}
/* set the individual row-pointers to point at the correct offsets */
- for (i = 0; i < ibuf->y; i++) {
- row_pointers[ibuf->y - 1 - i] = (png_bytep)
- ((unsigned char *)pixels + (i * ibuf->x) * bytesperpixel * sizeof(unsigned char));
+ for (ri = 0; ri < ibuf->y; ri++) {
+ row_pointers[ibuf->y - 1 - ri] = (png_bytep)
+ ((unsigned char *)pixels + (((size_t)ri) * ibuf->x) * channels * sizeof(unsigned char));
}
png_read_image(png_ptr, row_pointers);
@@ -686,9 +691,9 @@
to = (unsigned char *) ibuf->rect;
from = pixels;
- switch (bytesperpixel) {
+ switch (channels) {
case 4:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to[0] = from[0];
to[1] = from[1];
to[2] = from[2];
@@ -697,7 +702,7 @@
}
break;
case 3:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to[0] = from[0];
to[1] = from[1];
to[2] = from[2];
@@ -706,14 +711,14 @@
}
break;
case 2:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to[0] = to[1] = to[2] = from[0];
to[3] = from[1];
to += 4; from += 2;
}
break;
case 1:
- for (i = ibuf->x * ibuf->y; i > 0; i--) {
+ for (i = (size_t)ibuf->x * (size_t)ibuf->y; i > 0; i--) {
to[0] = to[1] = to[2] = from[0];
to[3] = 0xff;
to += 4; from++;
@@ -725,6 +730,7 @@
if (flags & IB_metadata) {
png_text *text_chunks;
int count = png_get_text(png_ptr, info_ptr, &text_chunks, NULL);
+ int i;
for (i = 0; i < count; i++) {
IMB_metadata_add_field(ibuf, text_chunks[i].key, text_chunks[i].text);
ibuf->flags |= IB_metadata;
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/radiance_hdr.c blender-2.68a/source/blender/imbuf/intern/radiance_hdr.c
--- blender-2.68a-original/source/blender/imbuf/intern/radiance_hdr.c 2013-03-08 22:46:30.000000000 -0500
+++ blender-2.68a/source/blender/imbuf/intern/radiance_hdr.c 2022-04-04 13:11:02.035807999 -0400
@@ -75,7 +75,7 @@
/* read routines */
static unsigned char *oldreadcolrs(RGBE *scan, unsigned char *mem, int xmax)
{
- int i, rshift = 0, len = xmax;
+ size_t i, rshift = 0, len = xmax;
while (len > 0) {
scan[0][RED] = *mem++;
scan[0][GRN] = *mem++;
@@ -100,22 +100,23 @@
static unsigned char *freadcolrs(RGBE *scan, unsigned char *mem, int xmax)
{
- int i, j, code, val;
-
+ int val;
+ size_t i;
if ((xmax < MINELEN) | (xmax > MAXELEN)) return oldreadcolrs(scan, mem, xmax);
- i = *mem++;
- if (i != 2) return oldreadcolrs(scan, mem - 1, xmax);
+ val = *mem++;
+ if (val != 2) return oldreadcolrs(scan, mem - 1, xmax);
scan[0][GRN] = *mem++;
scan[0][BLU] = *mem++;
- i = *mem++;
- if (((scan[0][BLU] << 8) | i) != xmax) return NULL;
+ val = *mem++;
+ if (((scan[0][BLU] << 8) | val) != xmax) return NULL;
- for (i = 0; i < 4; i++)
+ for (i = 0; i < 4; i++) {
+ size_t j;
for (j = 0; j < xmax; ) {
- code = *mem++;
+ int code = *mem++;
if (code > 128) {
code &= 127;
val = *mem++;
@@ -126,6 +127,7 @@
while (code--)
scan[j++][i] = *mem++;
}
+ }
return mem;
}
@@ -182,11 +184,11 @@
float *rect_float;
int found = 0;
int width = 0, height = 0;
- int x, y;
unsigned char *ptr;
char oriY[80], oriX[80];
if (imb_is_a_hdr((void *)mem)) {
+ size_t x;
colorspace_set_default_role(colorspace, IM_MAX_SPACE, COLOR_ROLE_DEFAULT_FLOAT);
/* find empty line, next line is resolution info */
@@ -197,6 +199,8 @@
}
}
if (found && (x < (size + 2))) {
+ size_t y;
+
if (sscanf((char *)&mem[x + 1], "%79s %d %79s %d", (char *)&oriY, &height,
(char *)&oriX, &width) != 4)
{
@@ -223,6 +227,7 @@
rect_float = ibuf->rect_float;
for (y = 0; y < height; y++) {
+ size_t x;
ptr = freadcolrs(sline, ptr, width);
if (ptr == NULL) {
printf("HDR decode error\n");
@@ -257,7 +262,8 @@
/* ImBuf write */
static int fwritecolrs(FILE *file, int width, int channels, unsigned char *ibufscan, float *fpscan)
{
- int x, i, j, beg, c2, cnt = 0;
+ size_t i, j;
+ int beg, c2, cnt = 0;
fCOLOR fcol;
RGBE rgbe, *rgbe_scan;
@@ -284,7 +290,7 @@
}
if ((width < MINELEN) | (width > MAXELEN)) { /* OOBs, write out flat */
- x = fwrite((char *)rgbe_scan, sizeof(RGBE), width, file) - width;
+ int x = fwrite((char *)rgbe_scan, sizeof(RGBE), width, file) - width;
MEM_freeN(rgbe_scan);
return x;
}
@@ -345,9 +351,10 @@
int imb_savehdr(struct ImBuf *ibuf, const char *name, int flags)
{
+ size_t y;
FILE *file = BLI_fopen(name, "wb");
float *fp = NULL;
- int y, width = ibuf->x, height = ibuf->y;
+ size_t width = ibuf->x, height = ibuf->y;
unsigned char *cp = NULL;
(void)flags; /* unused */
diff -Naur blender-2.68a-original/source/blender/imbuf/intern/tiff.c blender-2.68a/source/blender/imbuf/intern/tiff.c
--- blender-2.68a-original/source/blender/imbuf/intern/tiff.c 2013-07-11 00:38:47.000000000 -0400
+++ blender-2.68a/source/blender/imbuf/intern/tiff.c 2022-04-04 08:30:29.953497643 -0400
@@ -378,7 +378,7 @@
*/
static int imb_read_tiff_pixels(ImBuf *ibuf, TIFF *image)
{
- ImBuf *tmpibuf;
+ ImBuf *tmpibuf = NULL;
int success = 0;
short bitspersample, spp, config;
size_t scanline;
@@ -414,16 +414,25 @@
if (bitspersample == 32) {
ib_flag = IB_rectfloat;
fbuf = (float *)_TIFFmalloc(scanline);
+ if (!fbuf) {
+ goto cleanup;
+ }
}
else if (bitspersample == 16) {
ib_flag = IB_rectfloat;
sbuf = (unsigned short *)_TIFFmalloc(scanline);
+ if (!sbuf) {
+ goto cleanup;
+ }
}
else {
ib_flag = IB_rect;
}
tmpibuf = IMB_allocImBuf(ibuf->x, ibuf->y, ibuf->planes, ib_flag);
+ if (!tmpibuf) {
+ goto cleanup;
+ }
/* simple RGBA image */
if (!(bitspersample == 32 || bitspersample == 16)) {
@@ -432,7 +441,7 @@
/* contiguous channels: RGBRGBRGB */
else if (config == PLANARCONFIG_CONTIG) {
for (row = 0; row < ibuf->y; row++) {
- int ib_offset = ibuf->x * ibuf->y * 4 - ibuf->x * 4 * (row + 1);
+ size_t ib_offset = (size_t)ibuf->x * 4 * ((size_t)ibuf->y - ((size_t)row + 1));
if (bitspersample == 32) {
success |= TIFFReadScanline(image, fbuf, row, 0);
@@ -452,7 +461,7 @@
* but only fill in from the TIFF scanline where necessary. */
for (chan = 0; chan < 4; chan++) {
for (row = 0; row < ibuf->y; row++) {
- int ib_offset = ibuf->x * ibuf->y * 4 - ibuf->x * 4 * (row + 1);
+ size_t ib_offset = (size_t)ibuf->x * 4 * ((size_t)ibuf->y - ((size_t)row + 1));
if (bitspersample == 32) {
if (chan == 3 && spp == 3) /* fill alpha if only RGB TIFF */
@@ -477,11 +486,6 @@
}
}
}
-
- if (bitspersample == 32)
- _TIFFfree(fbuf);
- else if (bitspersample == 16)
- _TIFFfree(sbuf);
if (success) {
/* Code seems to be not needed for 16 bits tif, on PPC G5 OSX (ton) */
@@ -500,6 +504,12 @@
tmpibuf->mall &= ~ib_flag;
}
+cleanup:
+ if (bitspersample == 32)
+ _TIFFfree(fbuf);
+ else if (bitspersample == 16)
+ _TIFFfree(sbuf);
+
IMB_freeImBuf(tmpibuf);
return success;