[trunk] added check for pclr box validity (fixes issue 429)

This commit is contained in:
Matthieu Darbois 2014-11-20 23:47:09 +00:00
parent a2c2d86d3d
commit 8397eac382
3 changed files with 12 additions and 1 deletions

View File

@ -1042,12 +1042,20 @@ OPJ_BOOL opj_jp2_read_pclr( opj_jp2_t *jp2,
opj_read_bytes(p_pclr_header_data, &l_value , 2); /* NE */ opj_read_bytes(p_pclr_header_data, &l_value , 2); /* NE */
p_pclr_header_data += 2; p_pclr_header_data += 2;
nr_entries = (OPJ_UINT16) l_value; nr_entries = (OPJ_UINT16) l_value;
if ((nr_entries == 0U) || (nr_entries > 1024U)) {
opj_event_msg(p_manager, EVT_ERROR, "Invalid PCLR box. Reports %d entries\n", (int)nr_entries);
return OPJ_FALSE;
}
opj_read_bytes(p_pclr_header_data, &l_value , 1); /* NPC */ opj_read_bytes(p_pclr_header_data, &l_value , 1); /* NPC */
++p_pclr_header_data; ++p_pclr_header_data;
nr_channels = (OPJ_UINT16) l_value; nr_channels = (OPJ_UINT16) l_value;
if (nr_channels == 0U) {
opj_event_msg(p_manager, EVT_ERROR, "Invalid PCLR box. Reports 0 palette columns\n");
return OPJ_FALSE;
}
if (p_pclr_header_size < 3 + (OPJ_UINT32)nr_channels || nr_channels == 0 || nr_entries >= (OPJ_UINT32)-1 / nr_channels) if (p_pclr_header_size < 3 + (OPJ_UINT32)nr_channels)
return OPJ_FALSE; return OPJ_FALSE;
entries = (OPJ_UINT32*) opj_malloc((size_t)nr_channels * nr_entries * sizeof(OPJ_UINT32)); entries = (OPJ_UINT32*) opj_malloc((size_t)nr_channels * nr_entries * sizeof(OPJ_UINT32));

View File

@ -42,6 +42,7 @@ set(BLACKLIST_JPEG2000_TMP
edf_c2_101463.jp2 edf_c2_101463.jp2
edf_c2_1674177.jp2 edf_c2_1674177.jp2
edf_c2_1673169.jp2 edf_c2_1673169.jp2
issue429.jp2
) )
# Define a list of file which should be gracefully rejected: # Define a list of file which should be gracefully rejected:

View File

@ -223,6 +223,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue414.jp2 -o @TEMP_PATH@/issue414.jp2.pgx
opj_decompress -i @INPUT_NR_PATH@/issue411-ycc444.jp2 -o @TEMP_PATH@/issue411-ycc444.jp2.pgx opj_decompress -i @INPUT_NR_PATH@/issue411-ycc444.jp2 -o @TEMP_PATH@/issue411-ycc444.jp2.pgx
opj_decompress -i @INPUT_NR_PATH@/issue411-ycc422.jp2 -o @TEMP_PATH@/issue411-ycc422.jp2.pgx opj_decompress -i @INPUT_NR_PATH@/issue411-ycc422.jp2 -o @TEMP_PATH@/issue411-ycc422.jp2.pgx
opj_decompress -i @INPUT_NR_PATH@/issue411-ycc420.jp2 -o @TEMP_PATH@/issue411-ycc420.jp2.pgx opj_decompress -i @INPUT_NR_PATH@/issue411-ycc420.jp2 -o @TEMP_PATH@/issue411-ycc420.jp2.pgx
# issue 429 (from pdfium fuzz engine) 0 entries in PCLR box.
!opj_decompress -i @INPUT_NR_PATH@/issue429.jp2 -o @TEMP_PATH@/issue429.jp2.pgx
# decode with specific area # decode with specific area
# prec=12; nb_c=1 # prec=12; nb_c=1