[1.5] Fix heap buffer overflow
Enforce sanity checks on tile number and tile length, even when the (rather broken) USE_JPWL code isn't enabled.
This commit is contained in:
parent
8062f74deb
commit
abce31e706
|
@ -1279,7 +1279,7 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
|
|||
static int backup_tileno = 0;
|
||||
|
||||
/* tileno is negative or larger than the number of tiles!!! */
|
||||
if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
|
||||
if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
|
||||
opj_event_msg(j2k->cinfo, EVT_ERROR,
|
||||
"JPWL: bad tile number (%d out of a maximum of %d)\n",
|
||||
tileno, (cp->tw * cp->th));
|
||||
|
@ -1296,8 +1296,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
|
|||
|
||||
/* keep your private count of tiles */
|
||||
backup_tileno++;
|
||||
};
|
||||
}
|
||||
else
|
||||
#endif /* USE_JPWL */
|
||||
{
|
||||
/* tileno is negative or larger than the number of tiles!!! */
|
||||
if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
|
||||
opj_event_msg(j2k->cinfo, EVT_ERROR,
|
||||
"JPWL: bad tile number (%d out of a maximum of %d)\n",
|
||||
tileno, (cp->tw * cp->th));
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if (cp->tileno_size == 0) {
|
||||
cp->tileno[cp->tileno_size] = tileno;
|
||||
|
@ -1335,8 +1345,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
|
|||
totlen);
|
||||
}
|
||||
|
||||
};
|
||||
}
|
||||
else
|
||||
#endif /* USE_JPWL */
|
||||
{
|
||||
/* totlen is negative or larger than the bytes left!!! */
|
||||
if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
|
||||
opj_event_msg(j2k->cinfo, EVT_ERROR,
|
||||
"JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
|
||||
totlen, cio_numbytesleft(cio) + 8);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if (!totlen)
|
||||
totlen = cio_numbytesleft(cio) + 8;
|
||||
|
|
Loading…
Reference in New Issue