From 2fbd4bb0b9c6178f12c852dc40db6ab05734bfe2 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 4 Aug 2017 18:01:29 +0200 Subject: [PATCH] opj_j2k_read_sot(): check current TPSot number regarding previous (non-zero) TNsot to avoid opj_j2k_merge_ppt() to be called several times. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2851. Credit to OSS Fuzz --- src/lib/openjp2/j2k.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 21befaa8..76efb018 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -4378,6 +4378,16 @@ static OPJ_BOOL opj_j2k_read_sot(opj_j2k_t *p_j2k, p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1; } + if (l_tcp->m_nb_tile_parts != 0 && l_current_part >= l_tcp->m_nb_tile_parts) { + /* Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2851 */ + opj_event_msg(p_manager, EVT_ERROR, + "In SOT marker, TPSot (%d) is not valid regards to the previous " + "number of tile-part (%d), giving up\n", l_current_part, + l_tcp->m_nb_tile_parts); + p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1; + return OPJ_FALSE; + } + if (l_num_parts != 0) { /* Number of tile-part header is provided by this tile-part header */ l_num_parts += p_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction;