Fix invalid access out of bounds, and bad behaviour, when calling repeatdly opj_get_decoded_tile() on an image with a color palette

This commit is contained in:
Even Rouault 2017-09-06 17:33:38 +02:00
parent 297f202104
commit c67e1cd73f
2 changed files with 19 additions and 3 deletions

View File

@ -10907,6 +10907,12 @@ OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,
return OPJ_FALSE; return OPJ_FALSE;
} }
if (p_image->numcomps < p_j2k->m_private_image->numcomps) {
opj_event_msg(p_manager, EVT_ERROR,
"Image has less components than codestream.\n");
return OPJ_FALSE;
}
if (/*(tile_index < 0) &&*/ (tile_index >= p_j2k->m_cp.tw * p_j2k->m_cp.th)) { if (/*(tile_index < 0) &&*/ (tile_index >= p_j2k->m_cp.tw * p_j2k->m_cp.th)) {
opj_event_msg(p_manager, EVT_ERROR, opj_event_msg(p_manager, EVT_ERROR,
"Tile index provided by the user is incorrect %d (max = %d) \n", tile_index, "Tile index provided by the user is incorrect %d (max = %d) \n", tile_index,
@ -10937,7 +10943,7 @@ OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,
} }
l_img_comp = p_image->comps; l_img_comp = p_image->comps;
for (compno = 0; compno < p_image->numcomps; ++compno) { for (compno = 0; compno < p_j2k->m_private_image->numcomps; ++compno) {
OPJ_INT32 l_comp_x1, l_comp_y1; OPJ_INT32 l_comp_x1, l_comp_y1;
l_img_comp->factor = p_j2k->m_private_image->comps[compno].factor; l_img_comp->factor = p_j2k->m_private_image->comps[compno].factor;
@ -10959,6 +10965,18 @@ OPJ_BOOL opj_j2k_get_tile(opj_j2k_t *p_j2k,
l_img_comp++; l_img_comp++;
} }
if (p_image->numcomps > p_j2k->m_private_image->numcomps) {
/* Can happen when calling repeatdly opj_get_decoded_tile() on an
* image with a color palette, where color palette expansion is done
* later in jp2.c */
for (compno = p_j2k->m_private_image->numcomps; compno < p_image->numcomps;
++compno) {
opj_image_data_free(p_image->comps[compno].data);
p_image->comps[compno].data = NULL;
}
p_image->numcomps = p_j2k->m_private_image->numcomps;
}
/* Destroy the previous output image*/ /* Destroy the previous output image*/
if (p_j2k->m_output_image) { if (p_j2k->m_output_image) {
opj_image_destroy(p_j2k->m_output_image); opj_image_destroy(p_j2k->m_output_image);

View File

@ -1141,8 +1141,6 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
image->comps = new_comps; image->comps = new_comps;
image->numcomps = nr_channels; image->numcomps = nr_channels;
opj_jp2_free_pclr(color);
return OPJ_TRUE; return OPJ_TRUE;
}/* apply_pclr() */ }/* apply_pclr() */