walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

[trunk] Import commit fc884aee2b69c78500e65c3d05bf216791a9ea4a from ghostpdl 

prevent heap overflow in opj_t2_read_packet_header

Also prevent a double-free of segment data under OOM conditions.

Problem found in a test file, 1802.pdf.SIGSEGV.36e.894 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!

Update issue 225
This commit is contained in:
Mathieu Malaterre 2014-02-25 13:38:32 +00:00
parent 6145c82804
commit 901c9d8ae0
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/lib/openjp2/t2.c
View File

@ -981,6 +981,11 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2,
do {
l_cblk->segs[l_segno].numnewpasses = opj_int_min(l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses, n);
l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses));
/* testcase 1802.pdf.SIGSEGV.36e.894 */
if (l_cblk->segs[l_segno].newlen > *l_modified_length_ptr) {
opj_bio_destroy(l_bio);
return OPJ_FALSE;
}
n -= l_cblk->segs[l_segno].numnewpasses;
if (n > 0) {
@ -1116,6 +1121,7 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2,
OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen);
if(! new_cblk_data) {
opj_free(l_cblk->data);
l_cblk->data = NULL;
l_cblk->data_max_size = 0;
/* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */
return OPJ_FALSE;