[1.5] Fix Heap-based buffer-overflow when decoding openjpeg image

Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for dataset to reproduce the issue.
Fixes issue 170
This commit is contained in:
Mathieu Malaterre 2012-09-10 11:16:55 +00:00
parent c2f32bb485
commit 4776f48477
1 changed files with 6 additions and 0 deletions

View File

@ -693,6 +693,12 @@ static void j2k_read_cox(opj_j2k_t *j2k, int compno) {
opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions to remove is higher than the number " opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions to remove is higher than the number "
"of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno); "of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno);
j2k->state |= J2K_STATE_ERR; j2k->state |= J2K_STATE_ERR;
}
if( tccp->numresolutions > J2K_MAXRLVLS ) {
opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
compno, tccp->numresolutions, J2K_MAXRLVLS);
j2k->state |= J2K_STATE_ERR;
tccp->numresolutions = J2K_MAXRLVLS;
} }
tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */ tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */