walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Avoid asserting on assert(i == pcol) in opj_jp2_apply_pclr() by adding new check in opj_jp2_check_color(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3068. Credit to OSS Fuzz

This commit is contained in:
Even Rouault 2017-08-17 11:05:53 +02:00
parent 8e6c371e66
commit 09e83407fa
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/lib/openjp2/jp2.c
View File

@ -958,26 +958,35 @@ static OPJ_BOOL opj_jp2_check_color(opj_image_t *image, opj_jp2_color_t *color,
} }
/* verify that no component is targeted more than once */ /* verify that no component is targeted more than once */
for (i = 0; i < nr_channels; i++) { for (i = 0; i < nr_channels; i++) {
OPJ_UINT16 pcol = cmap[i].pcol; OPJ_BYTE mtyp = cmap[i].mtyp;
OPJ_BYTE pcol = cmap[i].pcol;
/* See ISO 15444-1 Table I.14 MTYPi field values */ /* See ISO 15444-1 Table I.14 MTYPi field values */
if (cmap[i].mtyp != 0 && cmap[i].mtyp != 1) { if (mtyp != 0 && mtyp != 1) {
opj_event_msg(p_manager, EVT_ERROR, opj_event_msg(p_manager, EVT_ERROR,
"Invalid value for cmap[%d].mtyp = %d.\n", i, "Invalid value for cmap[%d].mtyp = %d.\n", i,
cmap[i].mtyp); mtyp);
is_sane = OPJ_FALSE; is_sane = OPJ_FALSE;
} else if (pcol >= nr_channels) { } else if (pcol >= nr_channels) {
opj_event_msg(p_manager, EVT_ERROR, opj_event_msg(p_manager, EVT_ERROR,
"Invalid component/palette index for direct mapping %d.\n", pcol); "Invalid component/palette index for direct mapping %d.\n", pcol);
is_sane = OPJ_FALSE; is_sane = OPJ_FALSE;
} else if (pcol_usage[pcol] && cmap[i].mtyp == 1) { } else if (pcol_usage[pcol] && mtyp == 1) {
opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol); opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol);
is_sane = OPJ_FALSE; is_sane = OPJ_FALSE;
} else if (cmap[i].mtyp == 0 && cmap[i].pcol != 0) { } else if (mtyp == 0 && pcol != 0) {
/* I.5.3.5 PCOL: If the value of the MTYP field for this channel is 0, then /* I.5.3.5 PCOL: If the value of the MTYP field for this channel is 0, then
* the value of this field shall be 0. */ * the value of this field shall be 0. */
opj_event_msg(p_manager, EVT_ERROR, "Direct use at #%d however pcol=%d.\n", i, opj_event_msg(p_manager, EVT_ERROR, "Direct use at #%d however pcol=%d.\n", i,
pcol); pcol);
is_sane = OPJ_FALSE; is_sane = OPJ_FALSE;
} else if (mtyp == 1 && pcol != i) {
/* OpenJPEG implementation limitation. See assert(i == pcol); */
/* in opj_jp2_apply_pclr() */
opj_event_msg(p_manager, EVT_ERROR,
"Implementation limitation: for palette mapping, "
"pcol[%d] should be equal to %d, but is equal "
"to %d.\n", i, i, pcol);
is_sane = OPJ_FALSE;
} else { } else {
pcol_usage[pcol] = OPJ_TRUE; pcol_usage[pcol] = OPJ_TRUE;
} }