From 8397eac3823b92e4cf6d6ba14570ca50a0cf5b3a Mon Sep 17 00:00:00 2001
From: Matthieu Darbois <mayeut@users.noreply.github.com>
Date: Thu, 20 Nov 2014 23:47:09 +0000
Subject: [PATCH] [trunk] added check for pclr box validity (fixes issue 429)

---
 src/lib/openjp2/jp2.c                   | 10 +++++++++-
 tests/nonregression/CMakeLists.txt      |  1 +
 tests/nonregression/test_suite.ctest.in |  2 ++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index 131a3645..4a91f89a 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -1042,12 +1042,20 @@ OPJ_BOOL opj_jp2_read_pclr(	opj_jp2_t *jp2,
 	opj_read_bytes(p_pclr_header_data, &l_value , 2);	/* NE */
 	p_pclr_header_data += 2;
 	nr_entries = (OPJ_UINT16) l_value;
+	if ((nr_entries == 0U) || (nr_entries > 1024U)) {
+		opj_event_msg(p_manager, EVT_ERROR, "Invalid PCLR box. Reports %d entries\n", (int)nr_entries);
+		return OPJ_FALSE;
+	}
 
 	opj_read_bytes(p_pclr_header_data, &l_value , 1);	/* NPC */
 	++p_pclr_header_data;
 	nr_channels = (OPJ_UINT16) l_value;
+	if (nr_channels == 0U) {
+		opj_event_msg(p_manager, EVT_ERROR, "Invalid PCLR box. Reports 0 palette columns\n");
+		return OPJ_FALSE;
+	}
 
-	if (p_pclr_header_size < 3 + (OPJ_UINT32)nr_channels || nr_channels == 0 || nr_entries >= (OPJ_UINT32)-1 / nr_channels)
+	if (p_pclr_header_size < 3 + (OPJ_UINT32)nr_channels)
 		return OPJ_FALSE;
 
 	entries = (OPJ_UINT32*) opj_malloc((size_t)nr_channels * nr_entries * sizeof(OPJ_UINT32));
diff --git a/tests/nonregression/CMakeLists.txt b/tests/nonregression/CMakeLists.txt
index 9ac6a181..242e52fe 100644
--- a/tests/nonregression/CMakeLists.txt
+++ b/tests/nonregression/CMakeLists.txt
@@ -42,6 +42,7 @@ set(BLACKLIST_JPEG2000_TMP
     edf_c2_101463.jp2
     edf_c2_1674177.jp2
     edf_c2_1673169.jp2
+    issue429.jp2
    )
 
 # Define a list of file which should be gracefully rejected:
diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index c580cf95..f85326bb 100644
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -223,6 +223,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue414.jp2 -o @TEMP_PATH@/issue414.jp2.pgx
 opj_decompress -i @INPUT_NR_PATH@/issue411-ycc444.jp2 -o @TEMP_PATH@/issue411-ycc444.jp2.pgx
 opj_decompress -i @INPUT_NR_PATH@/issue411-ycc422.jp2 -o @TEMP_PATH@/issue411-ycc422.jp2.pgx
 opj_decompress -i @INPUT_NR_PATH@/issue411-ycc420.jp2 -o @TEMP_PATH@/issue411-ycc420.jp2.pgx
+# issue 429 (from pdfium fuzz engine) 0 entries in PCLR box.
+!opj_decompress -i @INPUT_NR_PATH@/issue429.jp2 -o @TEMP_PATH@/issue429.jp2.pgx
 
 # decode with specific area
 # prec=12; nb_c=1