From 6280b5ad8d12ad8f2c6756f22ec616b26d5acde7 Mon Sep 17 00:00:00 2001
From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
Date: Mon, 1 Oct 2012 15:57:01 +0000
Subject: [PATCH] [1.5] jp2_read_boxhdr() can trigger random pointer memory
 access

Fixes issue 155
---
 libopenjpeg/jp2.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libopenjpeg/jp2.c b/libopenjpeg/jp2.c
index d43e70c5..531bbfc9 100644
--- a/libopenjpeg/jp2.c
+++ b/libopenjpeg/jp2.c
@@ -173,6 +173,10 @@ static opj_bool jp2_read_boxhdr(opj_common_ptr cinfo, opj_cio_t *cio, opj_jp2_bo
 	else if (box->length == 0) {
 		box->length = cio_numbytesleft(cio) + 8;
 	}
+	if (box->length < 0) {
+		opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n");
+		return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value
+	}
 	
 	return OPJ_TRUE;
 }
@@ -654,6 +658,7 @@ opj_bool jp2_read_jp2h(opj_jp2_t *jp2, opj_cio_t *cio, opj_jp2_color_t *color)
         opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n");
         return OPJ_FALSE;
         }
+	  if (box.length <= 8) return OPJ_FALSE;
       cio_skip(cio, box.length - 8);
 
       if(cio->bp >= cio->end) return OPJ_FALSE;
@@ -679,6 +684,7 @@ opj_bool jp2_read_jp2h(opj_jp2_t *jp2, opj_cio_t *cio, opj_jp2_color_t *color)
       {
       if( !jp2_read_colr(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
@@ -689,6 +695,7 @@ opj_bool jp2_read_jp2h(opj_jp2_t *jp2, opj_cio_t *cio, opj_jp2_color_t *color)
       {
       if( !jp2_read_cdef(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
@@ -699,6 +706,7 @@ opj_bool jp2_read_jp2h(opj_jp2_t *jp2, opj_cio_t *cio, opj_jp2_color_t *color)
       {
       if( !jp2_read_pclr(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
@@ -709,12 +717,14 @@ opj_bool jp2_read_jp2h(opj_jp2_t *jp2, opj_cio_t *cio, opj_jp2_color_t *color)
       {
       if( !jp2_read_cmap(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
       if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
       continue;
       }
+    if (box.length <= 8) return OPJ_FALSE;
     cio_seek(cio, box.init_pos + 8);
     cio_skip(cio, box.length - 8);
     if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
@@ -910,12 +920,14 @@ static opj_bool jp2_read_jp2c(opj_jp2_t *jp2, opj_cio_t *cio, unsigned int *j2k_
   }
 	do {
 		if(JP2_JP2C != box.type) {
+			if (box.length <= 8) return OPJ_FALSE;
 			cio_skip(cio, box.length - 8);
 			if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
 		}
 	} while(JP2_JP2C != box.type);
 
 	*j2k_codestream_offset = cio_tell(cio);
+	if (box.length <= 8) return OPJ_FALSE;
 	*j2k_codestream_length = box.length - 8;
 
 	return OPJ_TRUE;