walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Avoid use-after-free when a MCT marker is found after a MCC one (#895) 

Fixes openjeg-crashes-2017-07-27/issue880-poc2.j2k of #895
This commit is contained in:
Even Rouault 2017-07-28 21:29:55 +02:00
parent e03e947466
commit c5bf5ef4d6
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/lib/openjp2/j2k.c
View File

@ -5549,6 +5549,28 @@ static OPJ_BOOL opj_j2k_read_mct(opj_j2k_t *p_j2k,
opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to read MCT marker\n");
return OPJ_FALSE;
}
/* Update m_mcc_records[].m_offset_array and m_decorrelation_array
* to point to the new addresses */
if (new_mct_records != l_tcp->m_mct_records) {
for (i = 0; i < l_tcp->m_nb_mcc_records; ++i) {
opj_simple_mcc_decorrelation_data_t* l_mcc_record =
&(l_tcp->m_mcc_records[i]);
if (l_mcc_record->m_decorrelation_array) {
l_mcc_record->m_decorrelation_array =
new_mct_records +
(l_mcc_record->m_decorrelation_array -
l_tcp->m_mct_records);
}
if (l_mcc_record->m_offset_array) {
l_mcc_record->m_offset_array =
new_mct_records +
(l_mcc_record->m_offset_array -
l_tcp->m_mct_records);
}
}
}
l_tcp->m_mct_records = new_mct_records;
l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
memset(l_mct_data, 0, (l_tcp->m_nb_max_mct_records - l_tcp->m_nb_mct_records) *