* Frank Küster: > Would > > if (nTiles >= INT_MAX / sizeof(JPXTile) { > error(getPos(), "Bad tile count in JPX SIZ marker segment"); > return gFalse; > > be okay?
It might still be a DoS issue, I think. Allocating arbitrary amounts of memory upon user request is usually a bad idea. But gmallocn does not touch the memory it allocates, so even very large allocations are very cheap initially. As long as you initialize the allocated data structure as you read more input, it should be a minor issue (because you need an enormous file size to cause problems on even slightly dated machines). By the way, the gmallocn function suffers from undefined integer overflow, too: void *gmallocn(int nObjs, int objSize) { int n; n = nObjs * objSize; if (objSize == 0 || n / objSize != nObjs) { fprintf(stderr, "Bogus memory allocation size\n"); exit(1); } return gmalloc(n); } The error handling is not suitable for library use, either. I don't know if this is a problem. PS: I haven't checked if the comparison "nTiles >= INT_MAX / sizeof(JPXTile" is indeed correct and checks the right bound.