[trunk] fixed PDF crash in Chrome (fixes issue 362)

2014-10-06 21:05:21 +00:00 · 2014-10-06 21:05:21 +00:00 · 7256e43c48
parent a0a3af1dee
commit 7256e43c48
2 changed files with 16 additions and 1 deletions
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@ -3641,6 +3641,15 @@ OPJ_BOOL j2k_read_ppm_v3 (

                if (p_header_size)
                {
+                        if (p_header_size < 4) {
+                                opj_free(l_cp->ppm_data);
+                                l_cp->ppm_data = NULL;
+                                l_cp->ppm_buffer = NULL;  /* TODO: no need for a new local variable: ppm_buffer and ppm_data are enough */
+                                l_cp->ppm_len = 0;
+                                l_cp->ppm = 0;
+                                opj_event_msg(p_manager, EVT_ERROR, "Error reading PPM marker\n");
+                                return OPJ_FALSE;
+                        }
                        opj_read_bytes(p_header_data,&l_N_ppm,4);               /* N_ppm^i */
                        p_header_data+=4;
                        p_header_size-=4;
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@ -1843,7 +1843,7 @@ OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 			return OPJ_FALSE;
 		}
 		/* testcase 1851.pdf.SIGSEGV.ce9.948 */
-		else if	(box.length < l_nb_bytes_read) {
+        else if (box.length < l_nb_bytes_read) {
 			opj_event_msg(p_manager, EVT_ERROR, "invalid box size %d (%x)\n", box.length, box.type);
 			opj_free(l_current_data);
 			return OPJ_FALSE;
@ -1853,6 +1853,12 @@ OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 		l_current_data_size = box.length - l_nb_bytes_read;

 		if (l_current_handler != 00) {
+			if ((OPJ_OFF_T)l_current_data_size > opj_stream_get_number_byte_left(stream)) {
+				/* do not even try to malloc if we can't read */
+				opj_event_msg(p_manager, EVT_ERROR, "Invalid box size %d for box '%c%c%c%c'. Need %d bytes, %d bytes remaining \n", box.length, (OPJ_BYTE)(box.type>>24), (OPJ_BYTE)(box.type>>16), (OPJ_BYTE)(box.type>>8), (OPJ_BYTE)(box.type>>0), l_current_data_size, (OPJ_UINT32)opj_stream_get_number_byte_left(stream));
+				opj_free(l_current_data);
+				return OPJ_FALSE;
+			}
 			if (l_current_data_size > l_last_data_size) {
 				OPJ_BYTE* new_current_data = (OPJ_BYTE*)opj_realloc(l_current_data,l_current_data_size);
 				if (!new_current_data) {