From da5e897232ef824daf9a492e746ed22cf2a43f18 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sun, 11 Feb 2018 13:31:04 +0100 Subject: [PATCH] Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions. Credit to Google Autofuzz project for providing test case --- src/lib/openjp2/tcd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index 1dd15405..be3b8436 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -1067,6 +1067,12 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch; /*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch); */ + if ((((OPJ_UINT32) - 1) / (OPJ_UINT32)sizeof_block) < + l_nb_code_blocks) { + opj_event_msg(manager, EVT_ERROR, + "Size of code block data exceeds system limits\n"); + return OPJ_FALSE; + } l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block; if (!l_current_precinct->cblks.blocks && (l_nb_code_blocks > 0U)) {