From 057c4c188a6ae44407f9bccf554d6b25bd09744b Mon Sep 17 00:00:00 2001
From: Aous Naman <aous@unsw.edu.au>
Date: Wed, 13 Jul 2022 11:30:49 +1000
Subject: [PATCH] Modified the mel_init code to replace the assert statement
 with an if statement, returning false when an incorrect sequence of bytes are
 encountered in the MEL segment.  Similar code should be added to the main MEL
 decoding subrountine, but the change is more involved; in any case, an
 incorrect sequence produces incorrect results, but should not be harmful or
 cause a crash.

---
 src/lib/openjp2/ht_dec.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/lib/openjp2/ht_dec.c b/src/lib/openjp2/ht_dec.c
index a803d1bb..60b4b481 100644
--- a/src/lib/openjp2/ht_dec.c
+++ b/src/lib/openjp2/ht_dec.c
@@ -294,7 +294,7 @@ void mel_decode(dec_mel_t *melp)
   *  @param [in]  scup is the length of MEL+VLC segments
   */
 static INLINE
-void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
+OPJ_BOOL mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
 {
     int num;
     int i;
@@ -316,7 +316,9 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
         OPJ_UINT64 d;
         int d_bits;
 
-        assert(melp->unstuff == OPJ_FALSE || melp->data[0] <= 0x8F);
+        if (melp->unstuff == OPJ_TRUE && melp->data[0] > 0x8F) {
+          return OPJ_FALSE;
+        }
         d = (melp->size > 0) ? *melp->data : 0xFF; // if buffer is consumed
         // set data to 0xFF
         if (melp->size == 1) {
@@ -332,6 +334,7 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
     }
     melp->tmp <<= (64 - melp->bits); //push all the way up so the first bit
     // is the MSB
+    return OPJ_TRUE;
 }
 
 //************************************************************************/
@@ -1374,7 +1377,17 @@ OPJ_BOOL opj_t1_ht_decode_cblk(opj_t1_t *t1,
     }
 
     // init structures
-    mel_init(&mel, coded_data, lcup, scup);
+    if (mel_init(&mel, coded_data, lcup, scup) == OPJ_FALSE) {
+      if (p_manager_mutex) {
+        opj_mutex_lock(p_manager_mutex);
+      }
+      opj_event_msg(p_manager, EVT_ERROR, "Malformed HT codeblock. "
+                    "Incorrect MEL segment sequence.\n");
+      if (p_manager_mutex) {
+        opj_mutex_unlock(p_manager_mutex);
+      }
+      return OPJ_FALSE;
+    }
     rev_init(&vlc, coded_data, lcup, scup);
     frwd_init(&magsgn, coded_data, lcup - scup, 0xFF);
     if (num_passes > 1) { // needs to be tested