From be95561917aa9b1d8ea4614820a534917cfa6bbe Mon Sep 17 00:00:00 2001
From: Aleks L <93376818+sashashura@users.noreply.github.com>
Date: Fri, 12 Aug 2022 14:48:41 +0100
Subject: [PATCH] Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr (#1441)

The issue was found while fuzzing opencv:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342

The read overflow triggered by reading `src[j]` in
```cpp
            for (j = 0; j < max; ++j) {
                dst[j] = src[j];
            }
```
The max is calculated as `new_comps[pcol].w * new_comps[pcol].h`, however the `src = old_comps[cmp].data;` which may have different `w` and `h` dimensions.
---
 src/lib/openjp2/jp2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index 17572195..ec202272 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -1108,7 +1108,7 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
         pcol = cmap[i].pcol;
         src = old_comps[cmp].data;
         assert(src); /* verified above */
-        max = new_comps[pcol].w * new_comps[pcol].h;
+        max = new_comps[i].w * new_comps[i].h;
 
         /* Direct use: */
         if (cmap[i].mtyp == 0) {