walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

[1.5] Fix Heap-based buffer-overflow when decoding openjpeg image 

Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for dataset to reproduce the issue.
Fixes issue 170
This commit is contained in:
Mathieu Malaterre 2012-09-10 11:16:55 +00:00
parent c2f32bb485
commit 4776f48477
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libopenjpeg/j2k.c
View File

@ -694,6 +694,12 @@ static void j2k_read_cox(opj_j2k_t *j2k, int compno) {
"of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno); "of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno);
j2k->state |= J2K_STATE_ERR; j2k->state |= J2K_STATE_ERR;
} }
if( tccp->numresolutions > J2K_MAXRLVLS ) {
opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
compno, tccp->numresolutions, J2K_MAXRLVLS);
j2k->state |= J2K_STATE_ERR;
tccp->numresolutions = J2K_MAXRLVLS;
}
tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */ tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */
tccp->cblkh = cio_read(cio, 1) + 2; /* SPcox (F) */ tccp->cblkh = cio_read(cio, 1) + 2; /* SPcox (F) */