libbpg-0.9.8

ChangeLog

@@ -1,3 +1,8 @@
+version 0.9.8:
+
+- x265 library compilation fixes
+- buffer overflow fixes
+
 version 0.9.7:
 
 - Increased the memory size of the JS decoder to 32 MiB and avoid

VERSION

@@ -1 +1 @@
-0.9.7
+0.9.8

bpgenc.c

@@ -688,6 +688,14 @@ Image *image_alloc(int w, int h, BPGImageFormatEnum format, int has_alpha,
 {
     Image *img;
     int i, linesize, w1, h1, c_count;
+    uint64_t size;
+
+    /* XXX: support large images ? */
+    size = (uint64_t)w * (uint64_t)h * 2;
+    if (size > INT32_MAX) {
+        fprintf(stderr, "Image is too large\n");
+        exit(1);
+    }
 
     img = malloc(sizeof(Image));
     memset(img, 0, sizeof(*img));
@@ -1088,7 +1096,7 @@ Image *read_png(BPGMetaData **pmd,
 
 static BPGMetaData *jpeg_get_metadata(jpeg_saved_marker_ptr first_marker)
 {
-    static const char app1_exif[] = "Exif";
+    static const char app1_exif[] = "Exif\0";
     static const char app1_xmp[] = "http://ns.adobe.com/xap/1.0/";
     static const char app2_iccp[] = "ICC_PROFILE";
     jpeg_saved_marker_ptr marker;

libbpg.c

@@ -232,7 +232,7 @@ static int build_msps(uint8_t **pbuf, int *pbuf_len,
     input_data += len;
     input_data_len -= len;
     
-    buf_len = 4 + 2 + msps_len * 2 + 4 + (input_data_len - len);
+    buf_len = 4 + 2 + msps_len * 2;
     buf = av_malloc(buf_len);
 
     idx = 0;