From 901c9d8ae02a264fef45f700e11e7cda99b1d9ed Mon Sep 17 00:00:00 2001 From: Mathieu Malaterre Date: Tue, 25 Feb 2014 13:38:32 +0000 Subject: [PATCH] [trunk] Import commit fc884aee2b69c78500e65c3d05bf216791a9ea4a from ghostpdl prevent heap overflow in opj_t2_read_packet_header Also prevent a double-free of segment data under OOM conditions. Problem found in a test file, 1802.pdf.SIGSEGV.36e.894 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! Update issue 225 --- src/lib/openjp2/t2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c index a3cf75d9..7c1eb704 100644 --- a/src/lib/openjp2/t2.c +++ b/src/lib/openjp2/t2.c @@ -981,6 +981,11 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2, do { l_cblk->segs[l_segno].numnewpasses = opj_int_min(l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses, n); l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses)); + /* testcase 1802.pdf.SIGSEGV.36e.894 */ + if (l_cblk->segs[l_segno].newlen > *l_modified_length_ptr) { + opj_bio_destroy(l_bio); + return OPJ_FALSE; + } n -= l_cblk->segs[l_segno].numnewpasses; if (n > 0) { @@ -1116,6 +1121,7 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2, OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen); if(! new_cblk_data) { opj_free(l_cblk->data); + l_cblk->data = NULL; l_cblk->data_max_size = 0; /* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */ return OPJ_FALSE;