color_cielab_to_rgb(): reject images with components of different dimensions to void read heap buffer overflow (#909)

2017-07-29 17:56:12 +02:00 · 2017-07-29 17:56:12 +02:00 · 5a3e7aaf33
parent 784d4d47e9
commit 5a3e7aaf33
1 changed files with 18 additions and 0 deletions
--- a/src/bin/common/color.c
+++ b/src/bin/common/color.c
@ -781,6 +781,18 @@ fails3:
    }
 }/* color_apply_icc_profile() */

+static int are_comps_same_dimensions(opj_image_t * image)
+{
+    unsigned int i;
+    for (i = 1; i < image->numcomps; i++) {
+        if (image->comps[0].dx != image->comps[i].dx ||
+                image->comps[0].dy != image->comps[i].dy) {
+            return OPJ_FALSE;
+        }
+    }
+    return OPJ_TRUE;
+}
+
 void color_cielab_to_rgb(opj_image_t *image)
 {
    int *row;
@ -794,6 +806,12 @@ void color_cielab_to_rgb(opj_image_t *image)
                __FILE__, __LINE__, numcomps);
        return;
    }
+    if (!are_comps_same_dimensions(image)) {
+        fprintf(stderr,
+                "%s:%d:\n\tcomponents are not all of the same dimension. Quitting.\n",
+                __FILE__, __LINE__);
+        return;
+    }

    row = (int*)image->icc_profile_buf;
    enumcs = row[0];