[1.5] Fix Heap-based buffer-overflow when decoding openjpeg image
Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for dataset to reproduce the issue. Fixes issue 170
This commit is contained in:
parent
c2f32bb485
commit
4776f48477
|
@ -693,6 +693,12 @@ static void j2k_read_cox(opj_j2k_t *j2k, int compno) {
|
||||||
opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions to remove is higher than the number "
|
opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions to remove is higher than the number "
|
||||||
"of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno);
|
"of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno);
|
||||||
j2k->state |= J2K_STATE_ERR;
|
j2k->state |= J2K_STATE_ERR;
|
||||||
|
}
|
||||||
|
if( tccp->numresolutions > J2K_MAXRLVLS ) {
|
||||||
|
opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
|
||||||
|
compno, tccp->numresolutions, J2K_MAXRLVLS);
|
||||||
|
j2k->state |= J2K_STATE_ERR;
|
||||||
|
tccp->numresolutions = J2K_MAXRLVLS;
|
||||||
}
|
}
|
||||||
|
|
||||||
tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */
|
tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */
|
||||||
|
|
Loading…
Reference in New Issue