walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr (#1441) 

The issue was found while fuzzing opencv:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342

The read overflow triggered by reading `src[j]` in
```cpp
            for (j = 0; j < max; ++j) {
                dst[j] = src[j];
            }
```
The max is calculated as `new_comps[pcol].w * new_comps[pcol].h`, however the `src = old_comps[cmp].data;` which may have different `w` and `h` dimensions.
This commit is contained in:
Aleks L 2022-08-12 14:48:41 +01:00 committed by GitHub
parent 49fea5c45e
commit be95561917
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/lib/openjp2/jp2.c
View File

@ -1108,7 +1108,7 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
pcol = cmap[i].pcol;
src = old_comps[cmp].data;
assert(src); /* verified above */
max = new_comps[pcol].w * new_comps[pcol].h;
max = new_comps[i].w * new_comps[i].h;
/* Direct use: */
if (cmap[i].mtyp == 0) {