Submitted By: Armin K. Date: 2015-01-28 Initial Package Version: 1.900.1 Upstream Status: Unknown Origin: Archlinux Description: Fixes multiple security issues, including: CVE-2008-3520, CVE-2008-3522, CVE-2011-4516, CVE-2011-4517, CVE-2014-8137, CVE-2014-8138, CVE-2014-8157, CVE-2014-8158 and CVE-2014-9029. Filename buffer overflow and Stepsizes overflow. --- a/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/base/jas_cm.c 2015-01-28 17:57:34.114045370 +0100 @@ -704,8 +704,7 @@ { jas_cmpxform_t **p; assert(n >= pxformseq->numpxforms); - p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) : - jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *)); + p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *)); if (!p) { return -1; } @@ -889,13 +888,13 @@ jas_cmshapmatlut_cleanup(lut); if (curv->numents == 0) { lut->size = 2; - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) goto error; lut->data[0] = 0.0; lut->data[1] = 1.0; } else if (curv->numents == 1) { lut->size = 256; - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) goto error; gamma = curv->ents[0] / 256.0; for (i = 0; i < lut->size; ++i) { @@ -903,7 +902,7 @@ } } else { lut->size = curv->numents; - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t)))) + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t)))) goto error; for (i = 0; i < lut->size; ++i) { lut->data[i] = curv->ents[i] / 65535.0; @@ -953,7 +952,7 @@ return -1; } } - if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t)))) + if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t)))) return -1; invlut->size = n; for (i = 0; i < invlut->size; ++i) { --- a/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/base/jas_icc.c 2015-01-28 17:58:32.874025377 +0100 @@ -373,7 +373,7 @@ jas_icctagtab_t *tagtab; tagtab = &prof->tagtab; - if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs * + if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs, sizeof(jas_icctagtabent_t)))) goto error; tagtab->numents = prof->attrtab->numattrs; @@ -522,7 +522,7 @@ } if (jas_iccgetuint32(in, &tagtab->numents)) goto error; - if (!(tagtab->ents = jas_malloc(tagtab->numents * + if (!(tagtab->ents = jas_alloc2(tagtab->numents, sizeof(jas_icctagtabent_t)))) goto error; tagtabent = tagtab->ents; @@ -743,8 +743,7 @@ { jas_iccattr_t *newattrs; assert(maxents >= tab->numattrs); - newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents * - sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t)); + newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t)); if (!newattrs) return -1; tab->attrs = newattrs; @@ -999,7 +998,7 @@ if (jas_iccgetuint32(in, &curv->numents)) goto error; - if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t)))) + if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t)))) goto error; for (i = 0; i < curv->numents; ++i) { if (jas_iccgetuint16(in, &curv->ents[i])) @@ -1011,7 +1010,6 @@ return 0; error: - jas_icccurv_destroy(attrval); return -1; } @@ -1100,7 +1098,7 @@ if (jas_iccgetuint32(in, &txtdesc->uclangcode) || jas_iccgetuint32(in, &txtdesc->uclen)) goto error; - if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2))) + if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2))) goto error; if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) != JAS_CAST(int, txtdesc->uclen * 2)) @@ -1129,7 +1127,6 @@ #endif return 0; error: - jas_icctxtdesc_destroy(attrval); return -1; } @@ -1208,8 +1205,6 @@ goto error; return 0; error: - if (txt->string) - jas_free(txt->string); return -1; } @@ -1292,17 +1287,17 @@ jas_iccgetuint16(in, &lut8->numouttabents)) goto error; clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans; - if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) || - !(lut8->intabsbuf = jas_malloc(lut8->numinchans * - lut8->numintabents * sizeof(jas_iccuint8_t))) || - !(lut8->intabs = jas_malloc(lut8->numinchans * + if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) || + !(lut8->intabsbuf = jas_alloc3(lut8->numinchans, + lut8->numintabents, sizeof(jas_iccuint8_t))) || + !(lut8->intabs = jas_alloc2(lut8->numinchans, sizeof(jas_iccuint8_t *)))) goto error; for (i = 0; i < lut8->numinchans; ++i) lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents]; - if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans * - lut8->numouttabents * sizeof(jas_iccuint8_t))) || - !(lut8->outtabs = jas_malloc(lut8->numoutchans * + if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans, + lut8->numouttabents, sizeof(jas_iccuint8_t))) || + !(lut8->outtabs = jas_alloc2(lut8->numoutchans, sizeof(jas_iccuint8_t *)))) goto error; for (i = 0; i < lut8->numoutchans; ++i) @@ -1330,7 +1325,6 @@ goto error; return 0; error: - jas_icclut8_destroy(attrval); return -1; } @@ -1461,17 +1455,17 @@ jas_iccgetuint16(in, &lut16->numouttabents)) goto error; clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans; - if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) || - !(lut16->intabsbuf = jas_malloc(lut16->numinchans * - lut16->numintabents * sizeof(jas_iccuint16_t))) || - !(lut16->intabs = jas_malloc(lut16->numinchans * + if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) || + !(lut16->intabsbuf = jas_alloc3(lut16->numinchans, + lut16->numintabents, sizeof(jas_iccuint16_t))) || + !(lut16->intabs = jas_alloc2(lut16->numinchans, sizeof(jas_iccuint16_t *)))) goto error; for (i = 0; i < lut16->numinchans; ++i) lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents]; - if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans * - lut16->numouttabents * sizeof(jas_iccuint16_t))) || - !(lut16->outtabs = jas_malloc(lut16->numoutchans * + if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans, + lut16->numouttabents, sizeof(jas_iccuint16_t))) || + !(lut16->outtabs = jas_alloc2(lut16->numoutchans, sizeof(jas_iccuint16_t *)))) goto error; for (i = 0; i < lut16->numoutchans; ++i) @@ -1499,7 +1493,6 @@ goto error; return 0; error: - jas_icclut16_destroy(attrval); return -1; } --- a/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/base/jas_image.c 2015-01-28 17:57:34.116045403 +0100 @@ -142,7 +142,7 @@ image->inmem_ = true; /* Allocate memory for the per-component information. */ - if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ * + if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, sizeof(jas_image_cmpt_t *)))) { jas_image_destroy(image); return 0; @@ -774,8 +774,7 @@ jas_image_cmpt_t **newcmpts; int cmptno; - newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) : - jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *)); + newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *)); if (!newcmpts) { return -1; } --- a/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/base/jas_malloc.c 2015-01-28 17:57:34.116045403 +0100 @@ -76,6 +76,9 @@ /* We need the prototype for memset. */ #include +#include +#include +#include #include "jasper/jas_malloc.h" @@ -113,18 +116,50 @@ void *jas_realloc(void *ptr, size_t size) { - return realloc(ptr, size); + return ptr ? realloc(ptr, size) : malloc(size); } -void *jas_calloc(size_t nmemb, size_t size) +void *jas_realloc2(void *ptr, size_t nmemb, size_t size) +{ + if (!ptr) + return jas_alloc2(nmemb, size); + if (nmemb && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } + return jas_realloc(ptr, nmemb * size); + +} + +void *jas_alloc2(size_t nmemb, size_t size) +{ + if (nmemb && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } + + return jas_malloc(nmemb * size); +} + +void *jas_alloc3(size_t a, size_t b, size_t c) { - void *ptr; size_t n; - n = nmemb * size; - if (!(ptr = jas_malloc(n * sizeof(char)))) { - return 0; + + if (a && SIZE_MAX / a < b) { + errno = ENOMEM; + return NULL; } - memset(ptr, 0, n); + + return jas_alloc2(a*b, c); +} + +void *jas_calloc(size_t nmemb, size_t size) +{ + void *ptr; + + ptr = jas_alloc2(nmemb, size); + if (ptr) + memset(ptr, 0, nmemb*size); return ptr; } --- a/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/base/jas_seq.c 2015-01-28 17:57:34.116045403 +0100 @@ -114,7 +114,7 @@ matrix->datasize_ = numrows * numcols; if (matrix->maxrows_ > 0) { - if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * + if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_, sizeof(jas_seqent_t *)))) { jas_matrix_destroy(matrix); return 0; @@ -122,7 +122,7 @@ } if (matrix->datasize_ > 0) { - if (!(matrix->data_ = jas_malloc(matrix->datasize_ * + if (!(matrix->data_ = jas_alloc2(matrix->datasize_, sizeof(jas_seqent_t)))) { jas_matrix_destroy(matrix); return 0; @@ -220,7 +220,7 @@ mat0->numrows_ = r1 - r0 + 1; mat0->numcols_ = c1 - c0 + 1; mat0->maxrows_ = mat0->numrows_; - mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *)); + mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); for (i = 0; i < mat0->numrows_; ++i) { mat0->rows_[i] = mat1->rows_[r0 + i] + c0; } --- a/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/base/jas_stream.c 2015-01-28 17:57:57.483434550 +0100 @@ -212,7 +212,7 @@ if (buf) { obj->buf_ = (unsigned char *) buf; } else { - obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char)); + obj->buf_ = jas_malloc(obj->bufsize_); obj->myalloc_ = 1; } if (!obj->buf_) { @@ -553,7 +553,7 @@ int ret; va_start(ap, fmt); - ret = vsprintf(buf, fmt, ap); + ret = vsnprintf(buf, sizeof buf, fmt, ap); jas_stream_puts(stream, buf); va_end(ap); return ret; @@ -992,7 +992,7 @@ unsigned char *buf; assert(m->buf_); - if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) { + if (!(buf = jas_realloc(m->buf_, bufsize))) { return -1; } m->buf_ = buf; --- a/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/bmp/bmp_dec.c 2015-01-28 17:57:34.117045420 +0100 @@ -283,7 +283,7 @@ } if (info->numcolors > 0) { - if (!(info->palents = jas_malloc(info->numcolors * + if (!(info->palents = jas_alloc2(info->numcolors, sizeof(bmp_palent_t)))) { bmp_info_destroy(info); return 0; --- a/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100 +++ b/src/libjasper/include/jasper/jas_malloc.h 2015-01-28 17:57:34.118045437 +0100 @@ -95,6 +95,9 @@ #define jas_free MEMFREE #define jas_realloc MEMREALLOC #define jas_calloc MEMCALLOC +#define jas_alloc2(a, b) MEMALLOC((a)*(b)) +#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c)) +#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b)) #endif /******************************************************************************\ @@ -115,6 +118,12 @@ /* Allocate a block of memory and initialize the contents to zero. */ void *jas_calloc(size_t nmemb, size_t size); +/* size-checked double allocation .*/ +void *jas_alloc2(size_t, size_t); + +void *jas_alloc3(size_t, size_t, size_t); + +void *jas_realloc2(void *, size_t, size_t); #endif #ifdef __cplusplus --- a/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/jp2/jp2_cod.c 2015-01-28 17:57:34.118045437 +0100 @@ -247,7 +247,7 @@ box = 0; tmpstream = 0; - if (!(box = jas_malloc(sizeof(jp2_box_t)))) { + if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) { goto error; } box->ops = &jp2_boxinfo_unk.ops; @@ -372,7 +372,7 @@ jp2_bpcc_t *bpcc = &box->data.bpcc; unsigned int i; bpcc->numcmpts = box->datalen; - if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) { + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { return -1; } for (i = 0; i < bpcc->numcmpts; ++i) { @@ -416,7 +416,7 @@ break; case JP2_COLR_ICC: colr->iccplen = box->datalen - 3; - if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) { + if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { return -1; } if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { @@ -453,7 +453,7 @@ if (jp2_getuint16(in, &cdef->numchans)) { return -1; } - if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) { + if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) { return -1; } for (channo = 0; channo < cdef->numchans; ++channo) { @@ -766,7 +766,7 @@ unsigned int i; cmap->numchans = (box->datalen) / 4; - if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) { + if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { return -1; } for (i = 0; i < cmap->numchans; ++i) { @@ -828,10 +828,10 @@ return -1; } lutsize = pclr->numlutents * pclr->numchans; - if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) { + if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { return -1; } - if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) { + if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) { return -1; } for (i = 0; i < pclr->numchans; ++i) { --- a/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/jp2/jp2_dec.c 2015-01-28 18:01:07.082617636 +0100 @@ -291,7 +291,10 @@ case JP2_COLR_ICC: iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, dec->colr->data.colr.iccplen); - assert(iccprof); + if (!iccprof) { + jas_eprintf("error: failed to parse ICC profile\n"); + goto error; + } jas_iccprof_gethdr(iccprof, &icchdr); jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); @@ -336,7 +339,7 @@ } /* Allocate space for the channel-number to component-number LUT. */ - if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) { + if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) { jas_eprintf("error: no memory\n"); goto error; } @@ -354,7 +357,7 @@ if (cmapent->map == JP2_CMAP_DIRECT) { dec->chantocmptlut[channo] = channo; } else if (cmapent->map == JP2_CMAP_PALETTE) { - lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t)); + lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t)); for (i = 0; i < pclrd->numlutents; ++i) { lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans]; } @@ -386,6 +389,11 @@ /* Determine the type of each component. */ if (dec->cdef) { for (i = 0; i < dec->numchans; ++i) { + /* Is the channel number reasonable? */ + if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { + jas_eprintf("error: invalid channel number in CDEF box\n"); + goto error; + } jas_image_setcmpttype(dec->image, dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], jp2_getct(jas_image_clrspc(dec->image), --- a/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/jp2/jp2_enc.c 2015-01-28 17:57:34.119045453 +0100 @@ -191,7 +191,7 @@ } bpcc = &box->data.bpcc; bpcc->numcmpts = jas_image_numcmpts(image); - if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { goto error; } @@ -285,7 +285,7 @@ } cdef = &box->data.cdef; cdef->numchans = jas_image_numcmpts(image); - cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)); + cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)); for (i = 0; i < jas_image_numcmpts(image); ++i) { cdefchanent = &cdef->ents[i]; cdefchanent->channo = i; --- a/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_cs.c 2015-01-28 17:57:34.120045470 +0100 @@ -502,7 +502,7 @@ !siz->tileheight || !siz->numcomps) { return -1; } - if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) { + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) { return -1; } for (i = 0; i < siz->numcomps; ++i) { @@ -982,8 +982,11 @@ compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { - compparms->stepsizes = jas_malloc(compparms->numstepsizes * + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { + compparms->stepsizes = jas_alloc2(compparms->numstepsizes, sizeof(uint_fast16_t)); assert(compparms->stepsizes); for (i = 0; i < compparms->numstepsizes; ++i) { @@ -1091,7 +1094,7 @@ ppm->len = ms->len - 1; if (ppm->len > 0) { - if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) { + if (!(ppm->data = jas_malloc(ppm->len))) { goto error; } if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) { @@ -1160,7 +1163,7 @@ } ppt->len = ms->len - 1; if (ppt->len > 0) { - if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) { + if (!(ppt->data = jas_malloc(ppt->len))) { goto error; } if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) { @@ -1223,7 +1226,7 @@ uint_fast8_t tmp; poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) : (ms->len / 7); - if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) { + if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) { goto error; } for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno, @@ -1328,7 +1331,7 @@ jpc_crgcomp_t *comp; uint_fast16_t compno; crg->numcomps = cstate->numcomps; - if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) { + if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { return -1; } for (compno = 0, comp = crg->comps; compno < cstate->numcomps; @@ -1467,7 +1470,7 @@ cstate = 0; if (ms->len > 0) { - if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) { + if (!(unk->data = jas_malloc(ms->len))) { return -1; } if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) { --- a/src/libjasper/jpc/jpc_dec.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_dec.c 2015-01-28 17:59:44.748230228 +0100 @@ -449,7 +449,7 @@ if (dec->state == JPC_MH) { - compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t)); + compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t)); assert(compinfos); for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos; cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) { @@ -489,7 +489,7 @@ dec->curtileendoff = 0; } - if (JAS_CAST(int, sot->tileno) > dec->numtiles) { + if (JAS_CAST(int, sot->tileno) >= dec->numtiles) { jas_eprintf("invalid tile number in SOT marker segment\n"); return -1; } @@ -692,7 +692,7 @@ tile->realmode = 1; } tcomp->numrlvls = ccp->numrlvls; - if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls * + if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls, sizeof(jpc_dec_rlvl_t)))) { return -1; } @@ -764,7 +764,7 @@ rlvl->cbgheightexpn); rlvl->numbands = (!rlvlno) ? 1 : 3; - if (!(rlvl->bands = jas_malloc(rlvl->numbands * + if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_dec_band_t)))) { return -1; } @@ -797,7 +797,7 @@ assert(rlvl->numprcs); - if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) { + if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) { return -1; } @@ -834,7 +834,7 @@ if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) { return -1; } - if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) { + if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) { return -1; } @@ -1069,12 +1069,12 @@ /* Apply an inverse intercomponent transform if necessary. */ switch (tile->cp->mctid) { case JPC_MCT_RCT: - assert(dec->numcomps == 3); + assert(dec->numcomps >= 3); jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; case JPC_MCT_ICT: - assert(dec->numcomps == 3); + assert(dec->numcomps >= 3); jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; @@ -1181,7 +1181,7 @@ return -1; } - if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) { + if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) { return -1; } @@ -1204,7 +1204,7 @@ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; - if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { + if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { return -1; } @@ -1228,7 +1228,7 @@ tile->pkthdrstreampos = 0; tile->pptstab = 0; tile->cp = 0; - if (!(tile->tcomps = jas_malloc(dec->numcomps * + if (!(tile->tcomps = jas_calloc(dec->numcomps, sizeof(jpc_dec_tcomp_t)))) { return -1; } @@ -1280,7 +1280,7 @@ jpc_coc_t *coc = &ms->parms.coc; jpc_dec_tile_t *tile; - if (JAS_CAST(int, coc->compno) > dec->numcomps) { + if (JAS_CAST(int, coc->compno) >= dec->numcomps) { jas_eprintf("invalid component number in COC marker segment\n"); return -1; } @@ -1306,7 +1306,7 @@ jpc_rgn_t *rgn = &ms->parms.rgn; jpc_dec_tile_t *tile; - if (JAS_CAST(int, rgn->compno) > dec->numcomps) { + if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { jas_eprintf("invalid component number in RGN marker segment\n"); return -1; } @@ -1355,7 +1355,7 @@ jpc_qcc_t *qcc = &ms->parms.qcc; jpc_dec_tile_t *tile; - if (JAS_CAST(int, qcc->compno) > dec->numcomps) { + if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { jas_eprintf("invalid component number in QCC marker segment\n"); return -1; } @@ -1489,7 +1489,7 @@ cp->numlyrs = 0; cp->mctid = 0; cp->csty = 0; - if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) { + if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { return 0; } if (!(cp->pchglist = jpc_pchglist_create())) { @@ -2048,7 +2048,7 @@ } streamlist->numstreams = 0; streamlist->maxstreams = 100; - if (!(streamlist->streams = jas_malloc(streamlist->maxstreams * + if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams, sizeof(jas_stream_t *)))) { jas_free(streamlist); return 0; @@ -2068,8 +2068,8 @@ /* Grow the array of streams if necessary. */ if (streamlist->numstreams >= streamlist->maxstreams) { newmaxstreams = streamlist->maxstreams + 1024; - if (!(newstreams = jas_realloc(streamlist->streams, - (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) { + if (!(newstreams = jas_realloc2(streamlist->streams, + (newmaxstreams + 1024), sizeof(jas_stream_t *)))) { return -1; } for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) { @@ -2155,8 +2155,7 @@ { jpc_ppxstabent_t **newents; if (tab->maxents < maxents) { - newents = (tab->ents) ? jas_realloc(tab->ents, maxents * - sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *)); + newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *)); if (!newents) { return -1; } --- a/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_enc.c 2015-01-28 17:57:34.122045503 +0100 @@ -403,7 +403,7 @@ vsteplcm *= jas_image_cmptvstep(image, cmptno); } - if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) { + if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) { goto error; } for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno, @@ -656,7 +656,7 @@ if (ilyrrates && numilyrrates > 0) { tcp->numlyrs = numilyrrates + 1; - if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) * + if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1), sizeof(jpc_fix_t)))) { goto error; } @@ -940,7 +940,7 @@ siz->tilewidth = cp->tilewidth; siz->tileheight = cp->tileheight; siz->numcomps = cp->numcmpts; - siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)); + siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)); assert(siz->comps); for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) { siz->comps[i].prec = cp->ccps[i].prec; @@ -977,7 +977,7 @@ return -1; } crg = &enc->mrk->parms.crg; - crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t)); + crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t)); if (jpc_putms(enc->out, enc->cstate, enc->mrk)) { jas_eprintf("cannot write CRG marker\n"); return -1; @@ -1955,7 +1955,7 @@ tile->mctid = cp->tcp.mctid; tile->numlyrs = cp->tcp.numlyrs; - if (!(tile->lyrsizes = jas_malloc(tile->numlyrs * + if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs, sizeof(uint_fast32_t)))) { goto error; } @@ -1964,7 +1964,7 @@ } /* Allocate an array for the per-tile-component information. */ - if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) { + if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) { goto error; } /* Initialize a few members critical for error recovery. */ @@ -2110,7 +2110,7 @@ jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data), jas_seq2d_yend(tcmpt->data), bandinfos); - if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) { + if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) { goto error; } for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls; @@ -2213,7 +2213,7 @@ rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn); rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs; - if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) { + if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) { goto error; } for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands; @@ -2290,7 +2290,7 @@ band->synweight = bandinfo->synenergywt; if (band->data) { - if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) { + if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) { goto error; } for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno, @@ -2422,7 +2422,7 @@ goto error; } - if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) { + if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) { goto error; } for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks; --- a/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_mqdec.c 2015-01-28 17:57:34.126045570 +0100 @@ -118,7 +118,7 @@ mqdec->in = in; mqdec->maxctxs = maxctxs; /* Allocate memory for the per-context state information. */ - if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) { + if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) { goto error; } /* Set the current context to the first context. */ --- a/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_mqenc.c 2015-01-28 17:57:34.126045570 +0100 @@ -197,7 +197,7 @@ mqenc->maxctxs = maxctxs; /* Allocate memory for the per-context state information. */ - if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) { + if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) { goto error; } --- a/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_qmfb.c 2015-01-28 18:00:17.753785538 +0100 @@ -306,11 +306,7 @@ { int bufsize = JPC_CEILDIVPOW2(numcols, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; -#else - jpc_fix_t splitbuf[bufsize]; -#endif jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; @@ -318,15 +314,13 @@ register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } } -#endif if (numcols >= 2) { hstartcol = (numcols + 1 - parity) >> 1; @@ -360,12 +354,10 @@ } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -374,11 +366,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; -#else - jpc_fix_t splitbuf[bufsize]; -#endif jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; @@ -386,15 +374,13 @@ register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -428,12 +414,10 @@ } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -442,11 +426,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE]; -#endif jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -457,15 +437,13 @@ int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -517,12 +495,10 @@ } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -531,11 +507,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t splitbuf[bufsize * numcols]; -#endif jpc_fix_t *buf = splitbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -546,15 +518,13 @@ int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide in this case. */ abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -606,12 +576,10 @@ } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -619,26 +587,20 @@ { int bufsize = JPC_CEILDIVPOW2(numcols, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; -#else - jpc_fix_t joinbuf[bufsize]; -#endif jpc_fix_t *buf = joinbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; register int n; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } } -#endif hstartcol = (numcols + 1 - parity) >> 1; @@ -670,12 +632,10 @@ ++srcptr; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } @@ -684,26 +644,20 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; -#else - jpc_fix_t joinbuf[bufsize]; -#endif jpc_fix_t *buf = joinbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; register int n; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } } -#endif hstartcol = (numrows + 1 - parity) >> 1; @@ -735,12 +689,10 @@ ++srcptr; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } @@ -749,11 +701,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE]; -#endif jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -763,15 +711,13 @@ register int i; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } } -#endif hstartcol = (numrows + 1 - parity) >> 1; @@ -821,12 +767,10 @@ srcptr += JPC_QMFB_COLGRPSIZE; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } @@ -835,11 +779,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; -#else - jpc_fix_t joinbuf[bufsize * numcols]; -#endif jpc_fix_t *buf = joinbuf; jpc_fix_t *srcptr; jpc_fix_t *dstptr; @@ -849,15 +789,13 @@ register int i; int hstartcol; -#if !defined(HAVE_VLA) /* Allocate memory for the join buffer from the heap. */ if (bufsize > QMFB_JOINBUFSIZE) { - if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) { + if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) { /* We have no choice but to commit suicide. */ abort(); } } -#endif hstartcol = (numrows + 1 - parity) >> 1; @@ -907,12 +845,10 @@ srcptr += numcols; } -#if !defined(HAVE_VLA) /* If the join buffer was allocated on the heap, free this memory. */ if (buf != joinbuf) { jas_free(buf); } -#endif } --- a/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_t1enc.c 2015-01-28 17:57:34.128045603 +0100 @@ -219,7 +219,7 @@ cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0; if (cblk->numpasses > 0) { - cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t)); + cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t)); assert(cblk->passes); } else { cblk->passes = 0; --- a/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_t2cod.c 2015-01-28 17:57:34.128045603 +0100 @@ -573,7 +573,7 @@ } if (pchglist->numpchgs >= pchglist->maxpchgs) { newmaxpchgs = pchglist->maxpchgs + 128; - if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) { + if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) { return -1; } pchglist->maxpchgs = newmaxpchgs; --- a/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_t2dec.c 2015-01-28 17:57:34.129045620 +0100 @@ -478,7 +478,7 @@ return 0; } pi->numcomps = dec->numcomps; - if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { + if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { jpc_pi_destroy(pi); return 0; } @@ -490,7 +490,7 @@ for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps; compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { picomp->numrlvls = tcomp->numrlvls; - if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * + if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, sizeof(jpc_pirlvl_t)))) { jpc_pi_destroy(pi); return 0; @@ -503,7 +503,7 @@ rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) { /* XXX sizeof(long) should be sizeof different type */ pirlvl->numprcs = rlvl->numprcs; - if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * + if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, sizeof(long)))) { jpc_pi_destroy(pi); return 0; --- a/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_t2enc.c 2015-01-28 17:57:34.129045620 +0100 @@ -565,7 +565,7 @@ } pi->pktno = -1; pi->numcomps = cp->numcmpts; - if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) { + if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) { jpc_pi_destroy(pi); return 0; } @@ -577,7 +577,7 @@ for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps; compno < pi->numcomps; ++compno, ++tcomp, ++picomp) { picomp->numrlvls = tcomp->numrlvls; - if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls * + if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls, sizeof(jpc_pirlvl_t)))) { jpc_pi_destroy(pi); return 0; @@ -591,7 +591,7 @@ /* XXX sizeof(long) should be sizeof different type */ pirlvl->numprcs = rlvl->numprcs; if (rlvl->numprcs) { - if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs * + if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs, sizeof(long)))) { jpc_pi_destroy(pi); return 0; --- a/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_tagtree.c 2015-01-28 17:57:34.130045636 +0100 @@ -125,7 +125,7 @@ ++numlvls; } while (n > 1); - if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) { + if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { return 0; } --- a/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100 +++ b/src/libjasper/jpc/jpc_util.c 2015-01-28 17:57:34.130045636 +0100 @@ -109,7 +109,7 @@ } if (n) { - if (!(vs = jas_malloc(n * sizeof(double)))) { + if (!(vs = jas_alloc2(n, sizeof(double)))) { return -1; } --- a/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100 +++ b/src/libjasper/mif/mif_cod.c 2015-01-28 17:57:34.131045653 +0100 @@ -438,8 +438,7 @@ int cmptno; mif_cmpt_t **newcmpts; assert(maxcmpts >= hdr->numcmpts); - newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) : - jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *)); + newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *)); if (!newcmpts) { return -1; }