wok-next view jasper/stuff/patches/jasper-1.900.1-security_fixes-2.patch @ rev 19693
Add: gcr, oniguruma; remove: nano-doc; up: apr, fribidi, jasper, libgphoto2, libmtp, libunique, libwebp, nano, pcre, apr, apr-util, aspell*, glib-networking, gnutls, gsettings-desktop-schemas, gtk+, gtk+3, gvfs*, libexif, libfm, libgnutls, libmng, libraw, libsoup, libtasn1, libusb, libwebp, lxmenu-data, menu-cache, mysql, newt, p11-kit, pcre, popt, postgresql, slang, which
| author | Aleksej Bobylev <al.bobylev@gmail.com> |
|---|---|
| date | Fri Apr 21 14:48:05 2017 +0300 (2017-04-21) |
| parents | |
| children |
line source
1 Submitted By: Armin K. <krejzi at email dot com>
2 Date: 2015-01-28
3 Initial Package Version: 1.900.1
4 Upstream Status: Unknown
5 Origin: Archlinux
6 Description: Fixes multiple security issues, including:
7 CVE-2008-3520, CVE-2008-3522, CVE-2011-4516, CVE-2011-4517,
8 CVE-2014-8137, CVE-2014-8138, CVE-2014-8157, CVE-2014-8158 and
9 CVE-2014-9029. Filename buffer overflow and Stepsizes overflow.
11 --- a/src/libjasper/base/jas_cm.c 2007-01-19 22:43:05.000000000 +0100
12 +++ b/src/libjasper/base/jas_cm.c 2015-01-28 17:57:34.114045370 +0100
13 @@ -704,8 +704,7 @@
14 {
15 jas_cmpxform_t **p;
16 assert(n >= pxformseq->numpxforms);
17 - p = (!pxformseq->pxforms) ? jas_malloc(n * sizeof(jas_cmpxform_t *)) :
18 - jas_realloc(pxformseq->pxforms, n * sizeof(jas_cmpxform_t *));
19 + p = jas_realloc2(pxformseq->pxforms, n, sizeof(jas_cmpxform_t *));
20 if (!p) {
21 return -1;
22 }
23 @@ -889,13 +888,13 @@
24 jas_cmshapmatlut_cleanup(lut);
25 if (curv->numents == 0) {
26 lut->size = 2;
27 - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
28 + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
29 goto error;
30 lut->data[0] = 0.0;
31 lut->data[1] = 1.0;
32 } else if (curv->numents == 1) {
33 lut->size = 256;
34 - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
35 + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
36 goto error;
37 gamma = curv->ents[0] / 256.0;
38 for (i = 0; i < lut->size; ++i) {
39 @@ -903,7 +902,7 @@
40 }
41 } else {
42 lut->size = curv->numents;
43 - if (!(lut->data = jas_malloc(lut->size * sizeof(jas_cmreal_t))))
44 + if (!(lut->data = jas_alloc2(lut->size, sizeof(jas_cmreal_t))))
45 goto error;
46 for (i = 0; i < lut->size; ++i) {
47 lut->data[i] = curv->ents[i] / 65535.0;
48 @@ -953,7 +952,7 @@
49 return -1;
50 }
51 }
52 - if (!(invlut->data = jas_malloc(n * sizeof(jas_cmreal_t))))
53 + if (!(invlut->data = jas_alloc2(n, sizeof(jas_cmreal_t))))
54 return -1;
55 invlut->size = n;
56 for (i = 0; i < invlut->size; ++i) {
57 --- a/src/libjasper/base/jas_icc.c 2007-01-19 22:43:05.000000000 +0100
58 +++ b/src/libjasper/base/jas_icc.c 2015-01-28 17:58:32.874025377 +0100
59 @@ -373,7 +373,7 @@
60 jas_icctagtab_t *tagtab;
62 tagtab = &prof->tagtab;
63 - if (!(tagtab->ents = jas_malloc(prof->attrtab->numattrs *
64 + if (!(tagtab->ents = jas_alloc2(prof->attrtab->numattrs,
65 sizeof(jas_icctagtabent_t))))
66 goto error;
67 tagtab->numents = prof->attrtab->numattrs;
68 @@ -522,7 +522,7 @@
69 }
70 if (jas_iccgetuint32(in, &tagtab->numents))
71 goto error;
72 - if (!(tagtab->ents = jas_malloc(tagtab->numents *
73 + if (!(tagtab->ents = jas_alloc2(tagtab->numents,
74 sizeof(jas_icctagtabent_t))))
75 goto error;
76 tagtabent = tagtab->ents;
77 @@ -743,8 +743,7 @@
78 {
79 jas_iccattr_t *newattrs;
80 assert(maxents >= tab->numattrs);
81 - newattrs = tab->attrs ? jas_realloc(tab->attrs, maxents *
82 - sizeof(jas_iccattr_t)) : jas_malloc(maxents * sizeof(jas_iccattr_t));
83 + newattrs = jas_realloc2(tab->attrs, maxents, sizeof(jas_iccattr_t));
84 if (!newattrs)
85 return -1;
86 tab->attrs = newattrs;
87 @@ -999,7 +998,7 @@
89 if (jas_iccgetuint32(in, &curv->numents))
90 goto error;
91 - if (!(curv->ents = jas_malloc(curv->numents * sizeof(jas_iccuint16_t))))
92 + if (!(curv->ents = jas_alloc2(curv->numents, sizeof(jas_iccuint16_t))))
93 goto error;
94 for (i = 0; i < curv->numents; ++i) {
95 if (jas_iccgetuint16(in, &curv->ents[i]))
96 @@ -1011,7 +1010,6 @@
97 return 0;
99 error:
100 - jas_icccurv_destroy(attrval);
101 return -1;
102 }
104 @@ -1100,7 +1098,7 @@
105 if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
106 jas_iccgetuint32(in, &txtdesc->uclen))
107 goto error;
108 - if (!(txtdesc->ucdata = jas_malloc(txtdesc->uclen * 2)))
109 + if (!(txtdesc->ucdata = jas_alloc2(txtdesc->uclen, 2)))
110 goto error;
111 if (jas_stream_read(in, txtdesc->ucdata, txtdesc->uclen * 2) !=
112 JAS_CAST(int, txtdesc->uclen * 2))
113 @@ -1129,7 +1127,6 @@
114 #endif
115 return 0;
116 error:
117 - jas_icctxtdesc_destroy(attrval);
118 return -1;
119 }
121 @@ -1208,8 +1205,6 @@
122 goto error;
123 return 0;
124 error:
125 - if (txt->string)
126 - jas_free(txt->string);
127 return -1;
128 }
130 @@ -1292,17 +1287,17 @@
131 jas_iccgetuint16(in, &lut8->numouttabents))
132 goto error;
133 clutsize = jas_iccpowi(lut8->clutlen, lut8->numinchans) * lut8->numoutchans;
134 - if (!(lut8->clut = jas_malloc(clutsize * sizeof(jas_iccuint8_t))) ||
135 - !(lut8->intabsbuf = jas_malloc(lut8->numinchans *
136 - lut8->numintabents * sizeof(jas_iccuint8_t))) ||
137 - !(lut8->intabs = jas_malloc(lut8->numinchans *
138 + if (!(lut8->clut = jas_alloc2(clutsize, sizeof(jas_iccuint8_t))) ||
139 + !(lut8->intabsbuf = jas_alloc3(lut8->numinchans,
140 + lut8->numintabents, sizeof(jas_iccuint8_t))) ||
141 + !(lut8->intabs = jas_alloc2(lut8->numinchans,
142 sizeof(jas_iccuint8_t *))))
143 goto error;
144 for (i = 0; i < lut8->numinchans; ++i)
145 lut8->intabs[i] = &lut8->intabsbuf[i * lut8->numintabents];
146 - if (!(lut8->outtabsbuf = jas_malloc(lut8->numoutchans *
147 - lut8->numouttabents * sizeof(jas_iccuint8_t))) ||
148 - !(lut8->outtabs = jas_malloc(lut8->numoutchans *
149 + if (!(lut8->outtabsbuf = jas_alloc3(lut8->numoutchans,
150 + lut8->numouttabents, sizeof(jas_iccuint8_t))) ||
151 + !(lut8->outtabs = jas_alloc2(lut8->numoutchans,
152 sizeof(jas_iccuint8_t *))))
153 goto error;
154 for (i = 0; i < lut8->numoutchans; ++i)
155 @@ -1330,7 +1325,6 @@
156 goto error;
157 return 0;
158 error:
159 - jas_icclut8_destroy(attrval);
160 return -1;
161 }
163 @@ -1461,17 +1455,17 @@
164 jas_iccgetuint16(in, &lut16->numouttabents))
165 goto error;
166 clutsize = jas_iccpowi(lut16->clutlen, lut16->numinchans) * lut16->numoutchans;
167 - if (!(lut16->clut = jas_malloc(clutsize * sizeof(jas_iccuint16_t))) ||
168 - !(lut16->intabsbuf = jas_malloc(lut16->numinchans *
169 - lut16->numintabents * sizeof(jas_iccuint16_t))) ||
170 - !(lut16->intabs = jas_malloc(lut16->numinchans *
171 + if (!(lut16->clut = jas_alloc2(clutsize, sizeof(jas_iccuint16_t))) ||
172 + !(lut16->intabsbuf = jas_alloc3(lut16->numinchans,
173 + lut16->numintabents, sizeof(jas_iccuint16_t))) ||
174 + !(lut16->intabs = jas_alloc2(lut16->numinchans,
175 sizeof(jas_iccuint16_t *))))
176 goto error;
177 for (i = 0; i < lut16->numinchans; ++i)
178 lut16->intabs[i] = &lut16->intabsbuf[i * lut16->numintabents];
179 - if (!(lut16->outtabsbuf = jas_malloc(lut16->numoutchans *
180 - lut16->numouttabents * sizeof(jas_iccuint16_t))) ||
181 - !(lut16->outtabs = jas_malloc(lut16->numoutchans *
182 + if (!(lut16->outtabsbuf = jas_alloc3(lut16->numoutchans,
183 + lut16->numouttabents, sizeof(jas_iccuint16_t))) ||
184 + !(lut16->outtabs = jas_alloc2(lut16->numoutchans,
185 sizeof(jas_iccuint16_t *))))
186 goto error;
187 for (i = 0; i < lut16->numoutchans; ++i)
188 @@ -1499,7 +1493,6 @@
189 goto error;
190 return 0;
191 error:
192 - jas_icclut16_destroy(attrval);
193 return -1;
194 }
196 --- a/src/libjasper/base/jas_image.c 2007-01-19 22:43:05.000000000 +0100
197 +++ b/src/libjasper/base/jas_image.c 2015-01-28 17:57:34.116045403 +0100
198 @@ -142,7 +142,7 @@
199 image->inmem_ = true;
201 /* Allocate memory for the per-component information. */
202 - if (!(image->cmpts_ = jas_malloc(image->maxcmpts_ *
203 + if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_,
204 sizeof(jas_image_cmpt_t *)))) {
205 jas_image_destroy(image);
206 return 0;
207 @@ -774,8 +774,7 @@
208 jas_image_cmpt_t **newcmpts;
209 int cmptno;
211 - newcmpts = (!image->cmpts_) ? jas_malloc(maxcmpts * sizeof(jas_image_cmpt_t *)) :
212 - jas_realloc(image->cmpts_, maxcmpts * sizeof(jas_image_cmpt_t *));
213 + newcmpts = jas_realloc2(image->cmpts_, maxcmpts, sizeof(jas_image_cmpt_t *));
214 if (!newcmpts) {
215 return -1;
216 }
217 --- a/src/libjasper/base/jas_malloc.c 2007-01-19 22:43:05.000000000 +0100
218 +++ b/src/libjasper/base/jas_malloc.c 2015-01-28 17:57:34.116045403 +0100
219 @@ -76,6 +76,9 @@
221 /* We need the prototype for memset. */
222 #include <string.h>
223 +#include <limits.h>
224 +#include <errno.h>
225 +#include <stdint.h>
227 #include "jasper/jas_malloc.h"
229 @@ -113,18 +116,50 @@
231 void *jas_realloc(void *ptr, size_t size)
232 {
233 - return realloc(ptr, size);
234 + return ptr ? realloc(ptr, size) : malloc(size);
235 }
237 -void *jas_calloc(size_t nmemb, size_t size)
238 +void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
239 +{
240 + if (!ptr)
241 + return jas_alloc2(nmemb, size);
242 + if (nmemb && SIZE_MAX / nmemb < size) {
243 + errno = ENOMEM;
244 + return NULL;
245 + }
246 + return jas_realloc(ptr, nmemb * size);
247 +
248 +}
249 +
250 +void *jas_alloc2(size_t nmemb, size_t size)
251 +{
252 + if (nmemb && SIZE_MAX / nmemb < size) {
253 + errno = ENOMEM;
254 + return NULL;
255 + }
256 +
257 + return jas_malloc(nmemb * size);
258 +}
259 +
260 +void *jas_alloc3(size_t a, size_t b, size_t c)
261 {
262 - void *ptr;
263 size_t n;
264 - n = nmemb * size;
265 - if (!(ptr = jas_malloc(n * sizeof(char)))) {
266 - return 0;
267 +
268 + if (a && SIZE_MAX / a < b) {
269 + errno = ENOMEM;
270 + return NULL;
271 }
272 - memset(ptr, 0, n);
273 +
274 + return jas_alloc2(a*b, c);
275 +}
276 +
277 +void *jas_calloc(size_t nmemb, size_t size)
278 +{
279 + void *ptr;
280 +
281 + ptr = jas_alloc2(nmemb, size);
282 + if (ptr)
283 + memset(ptr, 0, nmemb*size);
284 return ptr;
285 }
287 --- a/src/libjasper/base/jas_seq.c 2007-01-19 22:43:05.000000000 +0100
288 +++ b/src/libjasper/base/jas_seq.c 2015-01-28 17:57:34.116045403 +0100
289 @@ -114,7 +114,7 @@
290 matrix->datasize_ = numrows * numcols;
292 if (matrix->maxrows_ > 0) {
293 - if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
294 + if (!(matrix->rows_ = jas_alloc2(matrix->maxrows_,
295 sizeof(jas_seqent_t *)))) {
296 jas_matrix_destroy(matrix);
297 return 0;
298 @@ -122,7 +122,7 @@
299 }
301 if (matrix->datasize_ > 0) {
302 - if (!(matrix->data_ = jas_malloc(matrix->datasize_ *
303 + if (!(matrix->data_ = jas_alloc2(matrix->datasize_,
304 sizeof(jas_seqent_t)))) {
305 jas_matrix_destroy(matrix);
306 return 0;
307 @@ -220,7 +220,7 @@
308 mat0->numrows_ = r1 - r0 + 1;
309 mat0->numcols_ = c1 - c0 + 1;
310 mat0->maxrows_ = mat0->numrows_;
311 - mat0->rows_ = jas_malloc(mat0->maxrows_ * sizeof(jas_seqent_t *));
312 + mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *));
313 for (i = 0; i < mat0->numrows_; ++i) {
314 mat0->rows_[i] = mat1->rows_[r0 + i] + c0;
315 }
316 --- a/src/libjasper/base/jas_stream.c 2007-01-19 22:43:05.000000000 +0100
317 +++ b/src/libjasper/base/jas_stream.c 2015-01-28 17:57:57.483434550 +0100
318 @@ -212,7 +212,7 @@
319 if (buf) {
320 obj->buf_ = (unsigned char *) buf;
321 } else {
322 - obj->buf_ = jas_malloc(obj->bufsize_ * sizeof(char));
323 + obj->buf_ = jas_malloc(obj->bufsize_);
324 obj->myalloc_ = 1;
325 }
326 if (!obj->buf_) {
327 @@ -553,7 +553,7 @@
328 int ret;
330 va_start(ap, fmt);
331 - ret = vsprintf(buf, fmt, ap);
332 + ret = vsnprintf(buf, sizeof buf, fmt, ap);
333 jas_stream_puts(stream, buf);
334 va_end(ap);
335 return ret;
336 @@ -992,7 +992,7 @@
337 unsigned char *buf;
339 assert(m->buf_);
340 - if (!(buf = jas_realloc(m->buf_, bufsize * sizeof(unsigned char)))) {
341 + if (!(buf = jas_realloc(m->buf_, bufsize))) {
342 return -1;
343 }
344 m->buf_ = buf;
345 --- a/src/libjasper/bmp/bmp_dec.c 2007-01-19 22:43:07.000000000 +0100
346 +++ b/src/libjasper/bmp/bmp_dec.c 2015-01-28 17:57:34.117045420 +0100
347 @@ -283,7 +283,7 @@
348 }
350 if (info->numcolors > 0) {
351 - if (!(info->palents = jas_malloc(info->numcolors *
352 + if (!(info->palents = jas_alloc2(info->numcolors,
353 sizeof(bmp_palent_t)))) {
354 bmp_info_destroy(info);
355 return 0;
356 --- a/src/libjasper/include/jasper/jas_malloc.h 2007-01-19 22:43:04.000000000 +0100
357 +++ b/src/libjasper/include/jasper/jas_malloc.h 2015-01-28 17:57:34.118045437 +0100
358 @@ -95,6 +95,9 @@
359 #define jas_free MEMFREE
360 #define jas_realloc MEMREALLOC
361 #define jas_calloc MEMCALLOC
362 +#define jas_alloc2(a, b) MEMALLOC((a)*(b))
363 +#define jas_alloc3(a, b, c) MEMALLOC((a)*(b)*(c))
364 +#define jas_realloc2(p, a, b) MEMREALLOC((p), (a)*(b))
365 #endif
367 /******************************************************************************\
368 @@ -115,6 +118,12 @@
369 /* Allocate a block of memory and initialize the contents to zero. */
370 void *jas_calloc(size_t nmemb, size_t size);
372 +/* size-checked double allocation .*/
373 +void *jas_alloc2(size_t, size_t);
374 +
375 +void *jas_alloc3(size_t, size_t, size_t);
376 +
377 +void *jas_realloc2(void *, size_t, size_t);
378 #endif
380 #ifdef __cplusplus
381 --- a/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100
382 +++ b/src/libjasper/jp2/jp2_cod.c 2015-01-28 17:57:34.118045437 +0100
383 @@ -247,7 +247,7 @@
384 box = 0;
385 tmpstream = 0;
387 - if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
388 + if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
389 goto error;
390 }
391 box->ops = &jp2_boxinfo_unk.ops;
392 @@ -372,7 +372,7 @@
393 jp2_bpcc_t *bpcc = &box->data.bpcc;
394 unsigned int i;
395 bpcc->numcmpts = box->datalen;
396 - if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts * sizeof(uint_fast8_t)))) {
397 + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
398 return -1;
399 }
400 for (i = 0; i < bpcc->numcmpts; ++i) {
401 @@ -416,7 +416,7 @@
402 break;
403 case JP2_COLR_ICC:
404 colr->iccplen = box->datalen - 3;
405 - if (!(colr->iccp = jas_malloc(colr->iccplen * sizeof(uint_fast8_t)))) {
406 + if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) {
407 return -1;
408 }
409 if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) {
410 @@ -453,7 +453,7 @@
411 if (jp2_getuint16(in, &cdef->numchans)) {
412 return -1;
413 }
414 - if (!(cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t)))) {
415 + if (!(cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t)))) {
416 return -1;
417 }
418 for (channo = 0; channo < cdef->numchans; ++channo) {
419 @@ -766,7 +766,7 @@
420 unsigned int i;
422 cmap->numchans = (box->datalen) / 4;
423 - if (!(cmap->ents = jas_malloc(cmap->numchans * sizeof(jp2_cmapent_t)))) {
424 + if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
425 return -1;
426 }
427 for (i = 0; i < cmap->numchans; ++i) {
428 @@ -828,10 +828,10 @@
429 return -1;
430 }
431 lutsize = pclr->numlutents * pclr->numchans;
432 - if (!(pclr->lutdata = jas_malloc(lutsize * sizeof(int_fast32_t)))) {
433 + if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
434 return -1;
435 }
436 - if (!(pclr->bpc = jas_malloc(pclr->numchans * sizeof(uint_fast8_t)))) {
437 + if (!(pclr->bpc = jas_alloc2(pclr->numchans, sizeof(uint_fast8_t)))) {
438 return -1;
439 }
440 for (i = 0; i < pclr->numchans; ++i) {
441 --- a/src/libjasper/jp2/jp2_dec.c 2007-01-19 22:43:05.000000000 +0100
442 +++ b/src/libjasper/jp2/jp2_dec.c 2015-01-28 18:01:07.082617636 +0100
443 @@ -291,7 +291,10 @@
444 case JP2_COLR_ICC:
445 iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
446 dec->colr->data.colr.iccplen);
447 - assert(iccprof);
448 + if (!iccprof) {
449 + jas_eprintf("error: failed to parse ICC profile\n");
450 + goto error;
451 + }
452 jas_iccprof_gethdr(iccprof, &icchdr);
453 jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
454 jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
455 @@ -336,7 +339,7 @@
456 }
458 /* Allocate space for the channel-number to component-number LUT. */
459 - if (!(dec->chantocmptlut = jas_malloc(dec->numchans * sizeof(uint_fast16_t)))) {
460 + if (!(dec->chantocmptlut = jas_alloc2(dec->numchans, sizeof(uint_fast16_t)))) {
461 jas_eprintf("error: no memory\n");
462 goto error;
463 }
464 @@ -354,7 +357,7 @@
465 if (cmapent->map == JP2_CMAP_DIRECT) {
466 dec->chantocmptlut[channo] = channo;
467 } else if (cmapent->map == JP2_CMAP_PALETTE) {
468 - lutents = jas_malloc(pclrd->numlutents * sizeof(int_fast32_t));
469 + lutents = jas_alloc2(pclrd->numlutents, sizeof(int_fast32_t));
470 for (i = 0; i < pclrd->numlutents; ++i) {
471 lutents[i] = pclrd->lutdata[cmapent->pcol + i * pclrd->numchans];
472 }
473 @@ -386,6 +389,11 @@
474 /* Determine the type of each component. */
475 if (dec->cdef) {
476 for (i = 0; i < dec->numchans; ++i) {
477 + /* Is the channel number reasonable? */
478 + if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
479 + jas_eprintf("error: invalid channel number in CDEF box\n");
480 + goto error;
481 + }
482 jas_image_setcmpttype(dec->image,
483 dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
484 jp2_getct(jas_image_clrspc(dec->image),
485 --- a/src/libjasper/jp2/jp2_enc.c 2007-01-19 22:43:05.000000000 +0100
486 +++ b/src/libjasper/jp2/jp2_enc.c 2015-01-28 17:57:34.119045453 +0100
487 @@ -191,7 +191,7 @@
488 }
489 bpcc = &box->data.bpcc;
490 bpcc->numcmpts = jas_image_numcmpts(image);
491 - if (!(bpcc->bpcs = jas_malloc(bpcc->numcmpts *
492 + if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts,
493 sizeof(uint_fast8_t)))) {
494 goto error;
495 }
496 @@ -285,7 +285,7 @@
497 }
498 cdef = &box->data.cdef;
499 cdef->numchans = jas_image_numcmpts(image);
500 - cdef->ents = jas_malloc(cdef->numchans * sizeof(jp2_cdefchan_t));
501 + cdef->ents = jas_alloc2(cdef->numchans, sizeof(jp2_cdefchan_t));
502 for (i = 0; i < jas_image_numcmpts(image); ++i) {
503 cdefchanent = &cdef->ents[i];
504 cdefchanent->channo = i;
505 --- a/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100
506 +++ b/src/libjasper/jpc/jpc_cs.c 2015-01-28 17:57:34.120045470 +0100
507 @@ -502,7 +502,7 @@
508 !siz->tileheight || !siz->numcomps) {
509 return -1;
510 }
511 - if (!(siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t)))) {
512 + if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
513 return -1;
514 }
515 for (i = 0; i < siz->numcomps; ++i) {
516 @@ -982,8 +982,11 @@
517 compparms->numstepsizes = (len - n) / 2;
518 break;
519 }
520 - if (compparms->numstepsizes > 0) {
521 - compparms->stepsizes = jas_malloc(compparms->numstepsizes *
522 + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
523 + jpc_qcx_destroycompparms(compparms);
524 + return -1;
525 + } else if (compparms->numstepsizes > 0) {
526 + compparms->stepsizes = jas_alloc2(compparms->numstepsizes,
527 sizeof(uint_fast16_t));
528 assert(compparms->stepsizes);
529 for (i = 0; i < compparms->numstepsizes; ++i) {
530 @@ -1091,7 +1094,7 @@
532 ppm->len = ms->len - 1;
533 if (ppm->len > 0) {
534 - if (!(ppm->data = jas_malloc(ppm->len * sizeof(unsigned char)))) {
535 + if (!(ppm->data = jas_malloc(ppm->len))) {
536 goto error;
537 }
538 if (JAS_CAST(uint, jas_stream_read(in, ppm->data, ppm->len)) != ppm->len) {
539 @@ -1160,7 +1163,7 @@
540 }
541 ppt->len = ms->len - 1;
542 if (ppt->len > 0) {
543 - if (!(ppt->data = jas_malloc(ppt->len * sizeof(unsigned char)))) {
544 + if (!(ppt->data = jas_malloc(ppt->len))) {
545 goto error;
546 }
547 if (jas_stream_read(in, (char *) ppt->data, ppt->len) != JAS_CAST(int, ppt->len)) {
548 @@ -1223,7 +1226,7 @@
549 uint_fast8_t tmp;
550 poc->numpchgs = (cstate->numcomps > 256) ? (ms->len / 9) :
551 (ms->len / 7);
552 - if (!(poc->pchgs = jas_malloc(poc->numpchgs * sizeof(jpc_pocpchg_t)))) {
553 + if (!(poc->pchgs = jas_alloc2(poc->numpchgs, sizeof(jpc_pocpchg_t)))) {
554 goto error;
555 }
556 for (pchgno = 0, pchg = poc->pchgs; pchgno < poc->numpchgs; ++pchgno,
557 @@ -1328,7 +1331,7 @@
558 jpc_crgcomp_t *comp;
559 uint_fast16_t compno;
560 crg->numcomps = cstate->numcomps;
561 - if (!(crg->comps = jas_malloc(cstate->numcomps * sizeof(uint_fast16_t)))) {
562 + if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
563 return -1;
564 }
565 for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
566 @@ -1467,7 +1470,7 @@
567 cstate = 0;
569 if (ms->len > 0) {
570 - if (!(unk->data = jas_malloc(ms->len * sizeof(unsigned char)))) {
571 + if (!(unk->data = jas_malloc(ms->len))) {
572 return -1;
573 }
574 if (jas_stream_read(in, (char *) unk->data, ms->len) != JAS_CAST(int, ms->len)) {
575 --- a/src/libjasper/jpc/jpc_dec.c 2007-01-19 22:43:07.000000000 +0100
576 +++ b/src/libjasper/jpc/jpc_dec.c 2015-01-28 17:59:44.748230228 +0100
577 @@ -449,7 +449,7 @@
579 if (dec->state == JPC_MH) {
581 - compinfos = jas_malloc(dec->numcomps * sizeof(jas_image_cmptparm_t));
582 + compinfos = jas_alloc2(dec->numcomps, sizeof(jas_image_cmptparm_t));
583 assert(compinfos);
584 for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
585 cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
586 @@ -489,7 +489,7 @@
587 dec->curtileendoff = 0;
588 }
590 - if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
591 + if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
592 jas_eprintf("invalid tile number in SOT marker segment\n");
593 return -1;
594 }
595 @@ -692,7 +692,7 @@
596 tile->realmode = 1;
597 }
598 tcomp->numrlvls = ccp->numrlvls;
599 - if (!(tcomp->rlvls = jas_malloc(tcomp->numrlvls *
600 + if (!(tcomp->rlvls = jas_alloc2(tcomp->numrlvls,
601 sizeof(jpc_dec_rlvl_t)))) {
602 return -1;
603 }
604 @@ -764,7 +764,7 @@
605 rlvl->cbgheightexpn);
607 rlvl->numbands = (!rlvlno) ? 1 : 3;
608 - if (!(rlvl->bands = jas_malloc(rlvl->numbands *
609 + if (!(rlvl->bands = jas_alloc2(rlvl->numbands,
610 sizeof(jpc_dec_band_t)))) {
611 return -1;
612 }
613 @@ -797,7 +797,7 @@
615 assert(rlvl->numprcs);
617 - if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_dec_prc_t)))) {
618 + if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_dec_prc_t)))) {
619 return -1;
620 }
622 @@ -834,7 +834,7 @@
623 if (!(prc->numimsbstagtree = jpc_tagtree_create(prc->numhcblks, prc->numvcblks))) {
624 return -1;
625 }
626 - if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_dec_cblk_t)))) {
627 + if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_dec_cblk_t)))) {
628 return -1;
629 }
631 @@ -1069,12 +1069,12 @@
632 /* Apply an inverse intercomponent transform if necessary. */
633 switch (tile->cp->mctid) {
634 case JPC_MCT_RCT:
635 - assert(dec->numcomps == 3);
636 + assert(dec->numcomps >= 3);
637 jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data,
638 tile->tcomps[2].data);
639 break;
640 case JPC_MCT_ICT:
641 - assert(dec->numcomps == 3);
642 + assert(dec->numcomps >= 3);
643 jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data,
644 tile->tcomps[2].data);
645 break;
646 @@ -1181,7 +1181,7 @@
647 return -1;
648 }
650 - if (!(dec->cmpts = jas_malloc(dec->numcomps * sizeof(jpc_dec_cmpt_t)))) {
651 + if (!(dec->cmpts = jas_alloc2(dec->numcomps, sizeof(jpc_dec_cmpt_t)))) {
652 return -1;
653 }
655 @@ -1204,7 +1204,7 @@
656 dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
657 dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
658 dec->numtiles = dec->numhtiles * dec->numvtiles;
659 - if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
660 + if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
661 return -1;
662 }
664 @@ -1228,7 +1228,7 @@
665 tile->pkthdrstreampos = 0;
666 tile->pptstab = 0;
667 tile->cp = 0;
668 - if (!(tile->tcomps = jas_malloc(dec->numcomps *
669 + if (!(tile->tcomps = jas_calloc(dec->numcomps,
670 sizeof(jpc_dec_tcomp_t)))) {
671 return -1;
672 }
673 @@ -1280,7 +1280,7 @@
674 jpc_coc_t *coc = &ms->parms.coc;
675 jpc_dec_tile_t *tile;
677 - if (JAS_CAST(int, coc->compno) > dec->numcomps) {
678 + if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
679 jas_eprintf("invalid component number in COC marker segment\n");
680 return -1;
681 }
682 @@ -1306,7 +1306,7 @@
683 jpc_rgn_t *rgn = &ms->parms.rgn;
684 jpc_dec_tile_t *tile;
686 - if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
687 + if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
688 jas_eprintf("invalid component number in RGN marker segment\n");
689 return -1;
690 }
691 @@ -1355,7 +1355,7 @@
692 jpc_qcc_t *qcc = &ms->parms.qcc;
693 jpc_dec_tile_t *tile;
695 - if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
696 + if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
697 jas_eprintf("invalid component number in QCC marker segment\n");
698 return -1;
699 }
700 @@ -1489,7 +1489,7 @@
701 cp->numlyrs = 0;
702 cp->mctid = 0;
703 cp->csty = 0;
704 - if (!(cp->ccps = jas_malloc(cp->numcomps * sizeof(jpc_dec_ccp_t)))) {
705 + if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) {
706 return 0;
707 }
708 if (!(cp->pchglist = jpc_pchglist_create())) {
709 @@ -2048,7 +2048,7 @@
710 }
711 streamlist->numstreams = 0;
712 streamlist->maxstreams = 100;
713 - if (!(streamlist->streams = jas_malloc(streamlist->maxstreams *
714 + if (!(streamlist->streams = jas_alloc2(streamlist->maxstreams,
715 sizeof(jas_stream_t *)))) {
716 jas_free(streamlist);
717 return 0;
718 @@ -2068,8 +2068,8 @@
719 /* Grow the array of streams if necessary. */
720 if (streamlist->numstreams >= streamlist->maxstreams) {
721 newmaxstreams = streamlist->maxstreams + 1024;
722 - if (!(newstreams = jas_realloc(streamlist->streams,
723 - (newmaxstreams + 1024) * sizeof(jas_stream_t *)))) {
724 + if (!(newstreams = jas_realloc2(streamlist->streams,
725 + (newmaxstreams + 1024), sizeof(jas_stream_t *)))) {
726 return -1;
727 }
728 for (i = streamlist->numstreams; i < streamlist->maxstreams; ++i) {
729 @@ -2155,8 +2155,7 @@
730 {
731 jpc_ppxstabent_t **newents;
732 if (tab->maxents < maxents) {
733 - newents = (tab->ents) ? jas_realloc(tab->ents, maxents *
734 - sizeof(jpc_ppxstabent_t *)) : jas_malloc(maxents * sizeof(jpc_ppxstabent_t *));
735 + newents = jas_realloc2(tab->ents, maxents, sizeof(jpc_ppxstabent_t *));
736 if (!newents) {
737 return -1;
738 }
739 --- a/src/libjasper/jpc/jpc_enc.c 2007-01-19 22:43:07.000000000 +0100
740 +++ b/src/libjasper/jpc/jpc_enc.c 2015-01-28 17:57:34.122045503 +0100
741 @@ -403,7 +403,7 @@
742 vsteplcm *= jas_image_cmptvstep(image, cmptno);
743 }
745 - if (!(cp->ccps = jas_malloc(cp->numcmpts * sizeof(jpc_enc_ccp_t)))) {
746 + if (!(cp->ccps = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_ccp_t)))) {
747 goto error;
748 }
749 for (cmptno = 0, ccp = cp->ccps; cmptno < JAS_CAST(int, cp->numcmpts); ++cmptno,
750 @@ -656,7 +656,7 @@
752 if (ilyrrates && numilyrrates > 0) {
753 tcp->numlyrs = numilyrrates + 1;
754 - if (!(tcp->ilyrrates = jas_malloc((tcp->numlyrs - 1) *
755 + if (!(tcp->ilyrrates = jas_alloc2((tcp->numlyrs - 1),
756 sizeof(jpc_fix_t)))) {
757 goto error;
758 }
759 @@ -940,7 +940,7 @@
760 siz->tilewidth = cp->tilewidth;
761 siz->tileheight = cp->tileheight;
762 siz->numcomps = cp->numcmpts;
763 - siz->comps = jas_malloc(siz->numcomps * sizeof(jpc_sizcomp_t));
764 + siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t));
765 assert(siz->comps);
766 for (i = 0; i < JAS_CAST(int, cp->numcmpts); ++i) {
767 siz->comps[i].prec = cp->ccps[i].prec;
768 @@ -977,7 +977,7 @@
769 return -1;
770 }
771 crg = &enc->mrk->parms.crg;
772 - crg->comps = jas_malloc(crg->numcomps * sizeof(jpc_crgcomp_t));
773 + crg->comps = jas_alloc2(crg->numcomps, sizeof(jpc_crgcomp_t));
774 if (jpc_putms(enc->out, enc->cstate, enc->mrk)) {
775 jas_eprintf("cannot write CRG marker\n");
776 return -1;
777 @@ -1955,7 +1955,7 @@
778 tile->mctid = cp->tcp.mctid;
780 tile->numlyrs = cp->tcp.numlyrs;
781 - if (!(tile->lyrsizes = jas_malloc(tile->numlyrs *
782 + if (!(tile->lyrsizes = jas_alloc2(tile->numlyrs,
783 sizeof(uint_fast32_t)))) {
784 goto error;
785 }
786 @@ -1964,7 +1964,7 @@
787 }
789 /* Allocate an array for the per-tile-component information. */
790 - if (!(tile->tcmpts = jas_malloc(cp->numcmpts * sizeof(jpc_enc_tcmpt_t)))) {
791 + if (!(tile->tcmpts = jas_alloc2(cp->numcmpts, sizeof(jpc_enc_tcmpt_t)))) {
792 goto error;
793 }
794 /* Initialize a few members critical for error recovery. */
795 @@ -2110,7 +2110,7 @@
796 jas_seq2d_ystart(tcmpt->data), jas_seq2d_xend(tcmpt->data),
797 jas_seq2d_yend(tcmpt->data), bandinfos);
799 - if (!(tcmpt->rlvls = jas_malloc(tcmpt->numrlvls * sizeof(jpc_enc_rlvl_t)))) {
800 + if (!(tcmpt->rlvls = jas_alloc2(tcmpt->numrlvls, sizeof(jpc_enc_rlvl_t)))) {
801 goto error;
802 }
803 for (rlvlno = 0, rlvl = tcmpt->rlvls; rlvlno < tcmpt->numrlvls;
804 @@ -2213,7 +2213,7 @@
805 rlvl->numvprcs = JPC_FLOORDIVPOW2(brprcbry - tlprctly, rlvl->prcheightexpn);
806 rlvl->numprcs = rlvl->numhprcs * rlvl->numvprcs;
808 - if (!(rlvl->bands = jas_malloc(rlvl->numbands * sizeof(jpc_enc_band_t)))) {
809 + if (!(rlvl->bands = jas_alloc2(rlvl->numbands, sizeof(jpc_enc_band_t)))) {
810 goto error;
811 }
812 for (bandno = 0, band = rlvl->bands; bandno < rlvl->numbands;
813 @@ -2290,7 +2290,7 @@
814 band->synweight = bandinfo->synenergywt;
816 if (band->data) {
817 - if (!(band->prcs = jas_malloc(rlvl->numprcs * sizeof(jpc_enc_prc_t)))) {
818 + if (!(band->prcs = jas_alloc2(rlvl->numprcs, sizeof(jpc_enc_prc_t)))) {
819 goto error;
820 }
821 for (prcno = 0, prc = band->prcs; prcno < rlvl->numprcs; ++prcno,
822 @@ -2422,7 +2422,7 @@
823 goto error;
824 }
826 - if (!(prc->cblks = jas_malloc(prc->numcblks * sizeof(jpc_enc_cblk_t)))) {
827 + if (!(prc->cblks = jas_alloc2(prc->numcblks, sizeof(jpc_enc_cblk_t)))) {
828 goto error;
829 }
830 for (cblkno = 0, cblk = prc->cblks; cblkno < prc->numcblks;
831 --- a/src/libjasper/jpc/jpc_mqdec.c 2007-01-19 22:43:07.000000000 +0100
832 +++ b/src/libjasper/jpc/jpc_mqdec.c 2015-01-28 17:57:34.126045570 +0100
833 @@ -118,7 +118,7 @@
834 mqdec->in = in;
835 mqdec->maxctxs = maxctxs;
836 /* Allocate memory for the per-context state information. */
837 - if (!(mqdec->ctxs = jas_malloc(mqdec->maxctxs * sizeof(jpc_mqstate_t *)))) {
838 + if (!(mqdec->ctxs = jas_alloc2(mqdec->maxctxs, sizeof(jpc_mqstate_t *)))) {
839 goto error;
840 }
841 /* Set the current context to the first context. */
842 --- a/src/libjasper/jpc/jpc_mqenc.c 2007-01-19 22:43:07.000000000 +0100
843 +++ b/src/libjasper/jpc/jpc_mqenc.c 2015-01-28 17:57:34.126045570 +0100
844 @@ -197,7 +197,7 @@
845 mqenc->maxctxs = maxctxs;
847 /* Allocate memory for the per-context state information. */
848 - if (!(mqenc->ctxs = jas_malloc(mqenc->maxctxs * sizeof(jpc_mqstate_t *)))) {
849 + if (!(mqenc->ctxs = jas_alloc2(mqenc->maxctxs, sizeof(jpc_mqstate_t *)))) {
850 goto error;
851 }
853 --- a/src/libjasper/jpc/jpc_qmfb.c 2007-01-19 22:43:07.000000000 +0100
854 +++ b/src/libjasper/jpc/jpc_qmfb.c 2015-01-28 18:00:17.753785538 +0100
855 @@ -306,11 +306,7 @@
856 {
858 int bufsize = JPC_CEILDIVPOW2(numcols, 1);
859 -#if !defined(HAVE_VLA)
860 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
861 -#else
862 - jpc_fix_t splitbuf[bufsize];
863 -#endif
864 jpc_fix_t *buf = splitbuf;
865 register jpc_fix_t *srcptr;
866 register jpc_fix_t *dstptr;
867 @@ -318,15 +314,13 @@
868 register int m;
869 int hstartcol;
871 -#if !defined(HAVE_VLA)
872 /* Get a buffer. */
873 if (bufsize > QMFB_SPLITBUFSIZE) {
874 - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
875 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
876 /* We have no choice but to commit suicide in this case. */
877 abort();
878 }
879 }
880 -#endif
882 if (numcols >= 2) {
883 hstartcol = (numcols + 1 - parity) >> 1;
884 @@ -360,12 +354,10 @@
885 }
886 }
888 -#if !defined(HAVE_VLA)
889 /* If the split buffer was allocated on the heap, free this memory. */
890 if (buf != splitbuf) {
891 jas_free(buf);
892 }
893 -#endif
895 }
897 @@ -374,11 +366,7 @@
898 {
900 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
901 -#if !defined(HAVE_VLA)
902 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
903 -#else
904 - jpc_fix_t splitbuf[bufsize];
905 -#endif
906 jpc_fix_t *buf = splitbuf;
907 register jpc_fix_t *srcptr;
908 register jpc_fix_t *dstptr;
909 @@ -386,15 +374,13 @@
910 register int m;
911 int hstartcol;
913 -#if !defined(HAVE_VLA)
914 /* Get a buffer. */
915 if (bufsize > QMFB_SPLITBUFSIZE) {
916 - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
917 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
918 /* We have no choice but to commit suicide in this case. */
919 abort();
920 }
921 }
922 -#endif
924 if (numrows >= 2) {
925 hstartcol = (numrows + 1 - parity) >> 1;
926 @@ -428,12 +414,10 @@
927 }
928 }
930 -#if !defined(HAVE_VLA)
931 /* If the split buffer was allocated on the heap, free this memory. */
932 if (buf != splitbuf) {
933 jas_free(buf);
934 }
935 -#endif
937 }
939 @@ -442,11 +426,7 @@
940 {
942 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
943 -#if !defined(HAVE_VLA)
944 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
945 -#else
946 - jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
947 -#endif
948 jpc_fix_t *buf = splitbuf;
949 jpc_fix_t *srcptr;
950 jpc_fix_t *dstptr;
951 @@ -457,15 +437,13 @@
952 int m;
953 int hstartcol;
955 -#if !defined(HAVE_VLA)
956 /* Get a buffer. */
957 if (bufsize > QMFB_SPLITBUFSIZE) {
958 - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
959 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
960 /* We have no choice but to commit suicide in this case. */
961 abort();
962 }
963 }
964 -#endif
966 if (numrows >= 2) {
967 hstartcol = (numrows + 1 - parity) >> 1;
968 @@ -517,12 +495,10 @@
969 }
970 }
972 -#if !defined(HAVE_VLA)
973 /* If the split buffer was allocated on the heap, free this memory. */
974 if (buf != splitbuf) {
975 jas_free(buf);
976 }
977 -#endif
979 }
981 @@ -531,11 +507,7 @@
982 {
984 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
985 -#if !defined(HAVE_VLA)
986 jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
987 -#else
988 - jpc_fix_t splitbuf[bufsize * numcols];
989 -#endif
990 jpc_fix_t *buf = splitbuf;
991 jpc_fix_t *srcptr;
992 jpc_fix_t *dstptr;
993 @@ -546,15 +518,13 @@
994 int m;
995 int hstartcol;
997 -#if !defined(HAVE_VLA)
998 /* Get a buffer. */
999 if (bufsize > QMFB_SPLITBUFSIZE) {
1000 - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
1001 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
1002 /* We have no choice but to commit suicide in this case. */
1003 abort();
1004 }
1005 }
1006 -#endif
1008 if (numrows >= 2) {
1009 hstartcol = (numrows + 1 - parity) >> 1;
1010 @@ -606,12 +576,10 @@
1011 }
1012 }
1014 -#if !defined(HAVE_VLA)
1015 /* If the split buffer was allocated on the heap, free this memory. */
1016 if (buf != splitbuf) {
1017 jas_free(buf);
1018 }
1019 -#endif
1021 }
1023 @@ -619,26 +587,20 @@
1024 {
1026 int bufsize = JPC_CEILDIVPOW2(numcols, 1);
1027 -#if !defined(HAVE_VLA)
1028 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
1029 -#else
1030 - jpc_fix_t joinbuf[bufsize];
1031 -#endif
1032 jpc_fix_t *buf = joinbuf;
1033 register jpc_fix_t *srcptr;
1034 register jpc_fix_t *dstptr;
1035 register int n;
1036 int hstartcol;
1038 -#if !defined(HAVE_VLA)
1039 /* Allocate memory for the join buffer from the heap. */
1040 if (bufsize > QMFB_JOINBUFSIZE) {
1041 - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
1042 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
1043 /* We have no choice but to commit suicide. */
1044 abort();
1045 }
1046 }
1047 -#endif
1049 hstartcol = (numcols + 1 - parity) >> 1;
1051 @@ -670,12 +632,10 @@
1052 ++srcptr;
1053 }
1055 -#if !defined(HAVE_VLA)
1056 /* If the join buffer was allocated on the heap, free this memory. */
1057 if (buf != joinbuf) {
1058 jas_free(buf);
1059 }
1060 -#endif
1062 }
1064 @@ -684,26 +644,20 @@
1065 {
1067 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
1068 -#if !defined(HAVE_VLA)
1069 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
1070 -#else
1071 - jpc_fix_t joinbuf[bufsize];
1072 -#endif
1073 jpc_fix_t *buf = joinbuf;
1074 register jpc_fix_t *srcptr;
1075 register jpc_fix_t *dstptr;
1076 register int n;
1077 int hstartcol;
1079 -#if !defined(HAVE_VLA)
1080 /* Allocate memory for the join buffer from the heap. */
1081 if (bufsize > QMFB_JOINBUFSIZE) {
1082 - if (!(buf = jas_malloc(bufsize * sizeof(jpc_fix_t)))) {
1083 + if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
1084 /* We have no choice but to commit suicide. */
1085 abort();
1086 }
1087 }
1088 -#endif
1090 hstartcol = (numrows + 1 - parity) >> 1;
1092 @@ -735,12 +689,10 @@
1093 ++srcptr;
1094 }
1096 -#if !defined(HAVE_VLA)
1097 /* If the join buffer was allocated on the heap, free this memory. */
1098 if (buf != joinbuf) {
1099 jas_free(buf);
1100 }
1101 -#endif
1103 }
1105 @@ -749,11 +701,7 @@
1106 {
1108 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
1109 -#if !defined(HAVE_VLA)
1110 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
1111 -#else
1112 - jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
1113 -#endif
1114 jpc_fix_t *buf = joinbuf;
1115 jpc_fix_t *srcptr;
1116 jpc_fix_t *dstptr;
1117 @@ -763,15 +711,13 @@
1118 register int i;
1119 int hstartcol;
1121 -#if !defined(HAVE_VLA)
1122 /* Allocate memory for the join buffer from the heap. */
1123 if (bufsize > QMFB_JOINBUFSIZE) {
1124 - if (!(buf = jas_malloc(bufsize * JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
1125 + if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
1126 /* We have no choice but to commit suicide. */
1127 abort();
1128 }
1129 }
1130 -#endif
1132 hstartcol = (numrows + 1 - parity) >> 1;
1134 @@ -821,12 +767,10 @@
1135 srcptr += JPC_QMFB_COLGRPSIZE;
1136 }
1138 -#if !defined(HAVE_VLA)
1139 /* If the join buffer was allocated on the heap, free this memory. */
1140 if (buf != joinbuf) {
1141 jas_free(buf);
1142 }
1143 -#endif
1145 }
1147 @@ -835,11 +779,7 @@
1148 {
1150 int bufsize = JPC_CEILDIVPOW2(numrows, 1);
1151 -#if !defined(HAVE_VLA)
1152 jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
1153 -#else
1154 - jpc_fix_t joinbuf[bufsize * numcols];
1155 -#endif
1156 jpc_fix_t *buf = joinbuf;
1157 jpc_fix_t *srcptr;
1158 jpc_fix_t *dstptr;
1159 @@ -849,15 +789,13 @@
1160 register int i;
1161 int hstartcol;
1163 -#if !defined(HAVE_VLA)
1164 /* Allocate memory for the join buffer from the heap. */
1165 if (bufsize > QMFB_JOINBUFSIZE) {
1166 - if (!(buf = jas_malloc(bufsize * numcols * sizeof(jpc_fix_t)))) {
1167 + if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
1168 /* We have no choice but to commit suicide. */
1169 abort();
1170 }
1171 }
1172 -#endif
1174 hstartcol = (numrows + 1 - parity) >> 1;
1176 @@ -907,12 +845,10 @@
1177 srcptr += numcols;
1178 }
1180 -#if !defined(HAVE_VLA)
1181 /* If the join buffer was allocated on the heap, free this memory. */
1182 if (buf != joinbuf) {
1183 jas_free(buf);
1184 }
1185 -#endif
1187 }
1189 --- a/src/libjasper/jpc/jpc_t1enc.c 2007-01-19 22:43:07.000000000 +0100
1190 +++ b/src/libjasper/jpc/jpc_t1enc.c 2015-01-28 17:57:34.128045603 +0100
1191 @@ -219,7 +219,7 @@
1193 cblk->numpasses = (cblk->numbps > 0) ? (3 * cblk->numbps - 2) : 0;
1194 if (cblk->numpasses > 0) {
1195 - cblk->passes = jas_malloc(cblk->numpasses * sizeof(jpc_enc_pass_t));
1196 + cblk->passes = jas_alloc2(cblk->numpasses, sizeof(jpc_enc_pass_t));
1197 assert(cblk->passes);
1198 } else {
1199 cblk->passes = 0;
1200 --- a/src/libjasper/jpc/jpc_t2cod.c 2007-01-19 22:43:07.000000000 +0100
1201 +++ b/src/libjasper/jpc/jpc_t2cod.c 2015-01-28 17:57:34.128045603 +0100
1202 @@ -573,7 +573,7 @@
1203 }
1204 if (pchglist->numpchgs >= pchglist->maxpchgs) {
1205 newmaxpchgs = pchglist->maxpchgs + 128;
1206 - if (!(newpchgs = jas_realloc(pchglist->pchgs, newmaxpchgs * sizeof(jpc_pchg_t *)))) {
1207 + if (!(newpchgs = jas_realloc2(pchglist->pchgs, newmaxpchgs, sizeof(jpc_pchg_t *)))) {
1208 return -1;
1209 }
1210 pchglist->maxpchgs = newmaxpchgs;
1211 --- a/src/libjasper/jpc/jpc_t2dec.c 2007-01-19 22:43:07.000000000 +0100
1212 +++ b/src/libjasper/jpc/jpc_t2dec.c 2015-01-28 17:57:34.129045620 +0100
1213 @@ -478,7 +478,7 @@
1214 return 0;
1215 }
1216 pi->numcomps = dec->numcomps;
1217 - if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
1218 + if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
1219 jpc_pi_destroy(pi);
1220 return 0;
1221 }
1222 @@ -490,7 +490,7 @@
1223 for (compno = 0, tcomp = tile->tcomps, picomp = pi->picomps;
1224 compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
1225 picomp->numrlvls = tcomp->numrlvls;
1226 - if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
1227 + if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
1228 sizeof(jpc_pirlvl_t)))) {
1229 jpc_pi_destroy(pi);
1230 return 0;
1231 @@ -503,7 +503,7 @@
1232 rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl, ++rlvl) {
1233 /* XXX sizeof(long) should be sizeof different type */
1234 pirlvl->numprcs = rlvl->numprcs;
1235 - if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
1236 + if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
1237 sizeof(long)))) {
1238 jpc_pi_destroy(pi);
1239 return 0;
1240 --- a/src/libjasper/jpc/jpc_t2enc.c 2007-01-19 22:43:07.000000000 +0100
1241 +++ b/src/libjasper/jpc/jpc_t2enc.c 2015-01-28 17:57:34.129045620 +0100
1242 @@ -565,7 +565,7 @@
1243 }
1244 pi->pktno = -1;
1245 pi->numcomps = cp->numcmpts;
1246 - if (!(pi->picomps = jas_malloc(pi->numcomps * sizeof(jpc_picomp_t)))) {
1247 + if (!(pi->picomps = jas_alloc2(pi->numcomps, sizeof(jpc_picomp_t)))) {
1248 jpc_pi_destroy(pi);
1249 return 0;
1250 }
1251 @@ -577,7 +577,7 @@
1252 for (compno = 0, tcomp = tile->tcmpts, picomp = pi->picomps;
1253 compno < pi->numcomps; ++compno, ++tcomp, ++picomp) {
1254 picomp->numrlvls = tcomp->numrlvls;
1255 - if (!(picomp->pirlvls = jas_malloc(picomp->numrlvls *
1256 + if (!(picomp->pirlvls = jas_alloc2(picomp->numrlvls,
1257 sizeof(jpc_pirlvl_t)))) {
1258 jpc_pi_destroy(pi);
1259 return 0;
1260 @@ -591,7 +591,7 @@
1261 /* XXX sizeof(long) should be sizeof different type */
1262 pirlvl->numprcs = rlvl->numprcs;
1263 if (rlvl->numprcs) {
1264 - if (!(pirlvl->prclyrnos = jas_malloc(pirlvl->numprcs *
1265 + if (!(pirlvl->prclyrnos = jas_alloc2(pirlvl->numprcs,
1266 sizeof(long)))) {
1267 jpc_pi_destroy(pi);
1268 return 0;
1269 --- a/src/libjasper/jpc/jpc_tagtree.c 2007-01-19 22:43:07.000000000 +0100
1270 +++ b/src/libjasper/jpc/jpc_tagtree.c 2015-01-28 17:57:34.130045636 +0100
1271 @@ -125,7 +125,7 @@
1272 ++numlvls;
1273 } while (n > 1);
1275 - if (!(tree->nodes_ = jas_malloc(tree->numnodes_ * sizeof(jpc_tagtreenode_t)))) {
1276 + if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) {
1277 return 0;
1278 }
1280 --- a/src/libjasper/jpc/jpc_util.c 2007-01-19 22:43:07.000000000 +0100
1281 +++ b/src/libjasper/jpc/jpc_util.c 2015-01-28 17:57:34.130045636 +0100
1282 @@ -109,7 +109,7 @@
1283 }
1285 if (n) {
1286 - if (!(vs = jas_malloc(n * sizeof(double)))) {
1287 + if (!(vs = jas_alloc2(n, sizeof(double)))) {
1288 return -1;
1289 }
1291 --- a/src/libjasper/mif/mif_cod.c 2007-01-19 22:43:05.000000000 +0100
1292 +++ b/src/libjasper/mif/mif_cod.c 2015-01-28 17:57:34.131045653 +0100
1293 @@ -438,8 +438,7 @@
1294 int cmptno;
1295 mif_cmpt_t **newcmpts;
1296 assert(maxcmpts >= hdr->numcmpts);
1297 - newcmpts = (!hdr->cmpts) ? jas_malloc(maxcmpts * sizeof(mif_cmpt_t *)) :
1298 - jas_realloc(hdr->cmpts, maxcmpts * sizeof(mif_cmpt_t *));
1299 + newcmpts = jas_realloc2(hdr->cmpts, maxcmpts, sizeof(mif_cmpt_t *));
1300 if (!newcmpts) {
1301 return -1;
1302 }