8371647: 7 Integer overflows in mlib_malloc of mlib_sys.c:85

src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_Fp.c

@@ -76,6 +76,7 @@
 #include "mlib_ImageCheck.h"
 #include "mlib_SysMath.h"
 #include "mlib_ImageConv.h"
+#include "safe_math.h"
 
 /***************************************************************/
 static void mlib_ImageConvMxNMulAdd_F32(mlib_f32       *dst,
@@ -272,6 +273,13 @@ mlib_status mlib_convMxNext_f32(mlib_image       *dst,
   mlib_s32 nch = mlib_ImageGetChannels(dst);
   mlib_s32 i, j, j1, k;
 
+  if (!SAFE_TO_ADD(wid_e, m) ||
+      !SAFE_TO_MULT(3, wid_e + m) ||
+      !SAFE_TO_MULT((3 * wid_e + m),
+      (mlib_d64)sizeof(mlib_d64))) {
+    return MLIB_FAILURE;
+  }
+
   if (3 * wid_e + m > 1024) {
     dsa = mlib_malloc((3 * wid_e + m) * sizeof(mlib_d64));
 
@@ -629,6 +637,13 @@ mlib_status mlib_convMxNext_d64(mlib_image       *dst,
   mlib_s32 nch = mlib_ImageGetChannels(dst);
   mlib_s32 i, j, j1, k;
 
+  if (!SAFE_TO_ADD(wid_e, m) ||
+      !SAFE_TO_MULT(3, wid_e + m) ||
+      !SAFE_TO_MULT((3 * wid_e + m),
+      (mlib_d64)sizeof(mlib_d64))) {
+    return MLIB_FAILURE;
+  }
+
   if (3 * wid_e + m > 1024) {
     dsa = mlib_malloc((3 * wid_e + m) * sizeof(mlib_d64));
 

src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_ext.c

@@ -82,6 +82,7 @@
 
 #include "mlib_image.h"
 #include "mlib_ImageConv.h"
+#include "safe_math.h"
 
 /***************************************************************/
 static void mlib_ImageConvMxNMulAdd_S32(mlib_d64       *dst,
@@ -229,6 +230,13 @@ mlib_status mlib_convMxNext_s32(mlib_image       *dst,
 
   /* internal buffer */
 
+  if (!SAFE_TO_ADD(wid_e, m) ||
+      !SAFE_TO_MULT(3, wid_e + m) ||
+      !SAFE_TO_MULT((3 * wid_e + m),
+      (mlib_d64)sizeof(mlib_d64))) {
+    return MLIB_FAILURE;
+  }
+
   if (3 * wid_e + m > 1024) {
     dsa = mlib_malloc((3 * wid_e + m) * sizeof(mlib_d64));
 

src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16ext.c

@@ -33,6 +33,7 @@
 #include "mlib_image.h"
 #include "mlib_ImageConv.h"
 #include "mlib_c_ImageConv.h"
+#include "safe_math.h"
 
 /*
  * This define switches between functions of different data types
@@ -265,6 +266,8 @@ static mlib_status mlib_ImageConv1xN_ext(mlib_image       *dst,
   bsize = 2 * (smax_hsize + 1);
 
   if (bsize > BUFF_SIZE) {
+    if (!SAFE_TO_MULT(bsize, (mlib_s32)sizeof(FTYPE))) return MLIB_FAILURE;
+
     pbuff = mlib_malloc(sizeof(FTYPE)*bsize);
 
     if (pbuff == NULL) return MLIB_FAILURE;
@@ -495,6 +498,8 @@ mlib_status CONV_FUNC_MxN
   mn = m*n;
 
   if (mn > 256) {
+    if (!SAFE_TO_MULT(mn, (mlib_d64)sizeof(mlib_d64))) return MLIB_FAILURE;
+
     k = mlib_malloc(mn*sizeof(mlib_d64));
 
     if (k == NULL) return MLIB_FAILURE;

src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8ext.c

@@ -33,6 +33,7 @@
 #include "mlib_image.h"
 #include "mlib_ImageConv.h"
 #include "mlib_c_ImageConv.h"
+#include "safe_math.h"
 
 /*
  * This define switches between functions of different data types
@@ -919,6 +920,12 @@ mlib_status CONV_FUNC_MxN_I
   for (l = 0; l < (n + 1); l++) buffs[l + (n + 1)] = buffs[l];
   buffd = buffs[n] + swid;
 
+  if (!SAFE_TO_MULT(m, n) ||
+      !SAFE_TO_MULT((m * n),
+      (mlib_s32)sizeof(mlib_s32))) {
+    return MLIB_FAILURE;
+  }
+
   if (m*n > MAX_N*MAX_N) {
     k = mlib_malloc(sizeof(mlib_s32)*(m*n));
 

src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16ext.c

@@ -33,6 +33,7 @@
 #include "mlib_image.h"
 #include "mlib_ImageConv.h"
 #include "mlib_c_ImageConv.h"
+#include "safe_math.h"
 
 /*
  * This define switches between functions of different data types
@@ -942,6 +943,12 @@ mlib_status CONV_FUNC_MxN_I
   for (l = 0; l < (n + 1); l++) buffs[l + (n + 1)] = buffs[l];
   buffd = buffs[n] + swid;
 
+  if (!SAFE_TO_MULT(m, n) ||
+      !SAFE_TO_MULT((m * n),
+      (mlib_s32)sizeof(mlib_s32))) {
+    return MLIB_FAILURE;
+  }
+
   if (m*n > MAX_N*MAX_N) {
     k = mlib_malloc(sizeof(mlib_s32)*(m*n));