From 28094e1ebfa420f9a0bdc7a11b8d4ee5f154db35 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 8 Sep 2017 10:56:49 +0200 Subject: [PATCH] opj_tcd_mct_decode(): avoid heap buffer overflow when components have not the same number of resolutions. Also fixes an issue with subtile decoding. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3331. Credit to OSS Fuzz --- src/lib/openjp2/tcd.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index 68caf5b0..631a4840 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -1520,6 +1520,15 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, tilec->win_y1 = opj_uint_min( (OPJ_UINT32)tilec->y1, opj_uint_ceildiv(p_tcd->win_y1, image_comp->dy)); + if (tilec->win_x1 < tilec->win_x0 || + tilec->win_y1 < tilec->win_y0) { + /* We should not normally go there. The circumstance is when */ + /* the tile coordinates do not intersect the area of interest */ + /* Upper level logic should not even try to decode that tile */ + opj_event_msg(p_manager, EVT_ERROR, + "Invalid tilec->win_xxx values\n"); + return OPJ_FALSE; + } for (resno = 0; resno < tilec->numresolutions; ++resno) { opj_tcd_resolution_t *res = tilec->resolutions + resno; @@ -1973,6 +1982,16 @@ static OPJ_BOOL opj_tcd_mct_decode(opj_tcd_t *p_tcd, opj_event_mgr_t *p_manager) /* but we would need to take into account a stride then */ l_samples = (OPJ_UINT32)((res_comp0->x1 - res_comp0->x0) * (res_comp0->y1 - res_comp0->y0)); + if (l_tile->numcomps >= 3) { + if (l_tile_comp->minimum_num_resolutions != + l_tile->comps[1].minimum_num_resolutions || + l_tile_comp->minimum_num_resolutions != + l_tile->comps[2].minimum_num_resolutions) { + opj_event_msg(p_manager, EVT_ERROR, + "Tiles don't all have the same dimension. Skip the MCT step.\n"); + return OPJ_FALSE; + } + } if (l_tile->numcomps >= 3) { opj_tcd_resolution_t* res_comp1 = l_tile->comps[1].resolutions + l_tile_comp->minimum_num_resolutions - 1;