From c8fef1d5b918232e58436f088f83e8fec68c54f2 Mon Sep 17 00:00:00 2001
From: Aleks L <93376818+sashashura@users.noreply.github.com>
Date: Fri, 12 Aug 2022 11:36:40 +0100
Subject: [PATCH] Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr

The issue was found while fuzzing opencv:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342

The read overflow triggered by reading `src[j]` in
```cpp
            for (j = 0; j < max; ++j) {
                dst[j] = src[j];
            }
```
The max is calculated as `new_comps[pcol].w * new_comps[pcol].h`, however the `src = old_comps[cmp].data;` which may have different `w` and `h` dimensions.
---
 src/lib/openjp2/jp2.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index 17572195..484ed3b9 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -1042,7 +1042,7 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
     OPJ_UINT32 *entries;
     opj_jp2_cmap_comp_t *cmap;
     OPJ_INT32 *src, *dst;
-    OPJ_UINT32 j, max;
+    OPJ_UINT32 j, max, newmax, oldmax;
     OPJ_UINT16 i, nr_channels, cmp, pcol;
     OPJ_INT32 k, top_k;
 
@@ -1108,7 +1108,10 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
         pcol = cmap[i].pcol;
         src = old_comps[cmp].data;
         assert(src); /* verified above */
-        max = new_comps[pcol].w * new_comps[pcol].h;
+        oldmax = old_comps[cmp].w * old_comps[cmp].h;
+        newmax = new_comps[pcol].w * new_comps[pcol].h;
+
+        max = oldmax < newmax ? oldmax : newmax;
 
         /* Direct use: */
         if (cmap[i].mtyp == 0) {