walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr 

The issue was found while fuzzing opencv:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342

The read overflow triggered by reading `src[j]` in
```cpp
            for (j = 0; j < max; ++j) {
                dst[j] = src[j];
            }
```
The max is calculated as `new_comps[pcol].w * new_comps[pcol].h`, however the `src = old_comps[cmp].data;` which may have different `w` and `h` dimensions.
This commit is contained in:
Aleks L 2022-08-12 11:36:40 +01:00 committed by GitHub
parent 49fea5c45e
commit c8fef1d5b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/lib/openjp2/jp2.c
View File

@ -1042,7 +1042,7 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
OPJ_UINT32 *entries;
opj_jp2_cmap_comp_t *cmap;
OPJ_INT32 *src, *dst;
OPJ_UINT32 j, max;
OPJ_UINT32 j, max, newmax, oldmax;
OPJ_UINT16 i, nr_channels, cmp, pcol;
OPJ_INT32 k, top_k;
@ -1108,7 +1108,10 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
pcol = cmap[i].pcol;
src = old_comps[cmp].data;
assert(src); /* verified above */
max = new_comps[pcol].w * new_comps[pcol].h;
oldmax = old_comps[cmp].w * old_comps[cmp].h;
newmax = new_comps[pcol].w * new_comps[pcol].h;
max = oldmax < newmax ? oldmax : newmax;
/* Direct use: */
if (cmap[i].mtyp == 0) {