Fix invalid access out of bounds, and bad behaviour, when calling repeatdly opj_get_decoded_tile() on an image with a color palette

2017-09-06 17:33:38 +02:00 · 2017-09-06 17:33:38 +02:00 · c67e1cd73f
parent 297f202104
commit c67e1cd73f
2 changed files with 19 additions and 3 deletions
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@ -10907,6 +10907,12 @@ OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,
        return OPJ_FALSE;
    }

+    if (p_image->numcomps < p_j2k->m_private_image->numcomps) {
+        opj_event_msg(p_manager, EVT_ERROR,
+                      "Image has less components than codestream.\n");
+        return OPJ_FALSE;
+    }
+
    if (/*(tile_index < 0) &&*/ (tile_index >= p_j2k->m_cp.tw * p_j2k->m_cp.th)) {
        opj_event_msg(p_manager, EVT_ERROR,
                      "Tile index provided by the user is incorrect %d (max = %d) \n", tile_index,
@ -10937,7 +10943,7 @@ OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,
    }

    l_img_comp = p_image->comps;
-    for (compno = 0; compno < p_image->numcomps; ++compno) {
+    for (compno = 0; compno < p_j2k->m_private_image->numcomps; ++compno) {
        OPJ_INT32 l_comp_x1, l_comp_y1;

        l_img_comp->factor = p_j2k->m_private_image->comps[compno].factor;
@ -10959,6 +10965,18 @@ OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,
        l_img_comp++;
    }

+    if (p_image->numcomps > p_j2k->m_private_image->numcomps) {
+        /* Can happen when calling repeatdly opj_get_decoded_tile() on an
+         * image with a color palette, where color palette expansion is done
+         * later in jp2.c */
+        for (compno = p_j2k->m_private_image->numcomps; compno < p_image->numcomps;
+                ++compno) {
+            opj_image_data_free(p_image->comps[compno].data);
+            p_image->comps[compno].data = NULL;
+        }
+        p_image->numcomps = p_j2k->m_private_image->numcomps;
+    }
+
    /* Destroy the previous output image*/
    if (p_j2k->m_output_image) {
        opj_image_destroy(p_j2k->m_output_image);
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@ -1141,8 +1141,6 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
    image->comps = new_comps;
    image->numcomps = nr_channels;

-    opj_jp2_free_pclr(color);
-
    return OPJ_TRUE;
 }/* apply_pclr() */