[trunk] Fix overflow in opj_image_comp_header_update (fixes issue 495)

This commit is contained in:
Matthieu Darbois 2015-05-27 23:05:16 +00:00
parent 0fa5a17c98
commit e3291c4e1f
4 changed files with 30 additions and 14 deletions

View File

@ -107,27 +107,29 @@ void OPJ_CALLCONV opj_image_destroy(opj_image_t *image) {
void opj_image_comp_header_update(opj_image_t * p_image_header, const struct opj_cp * p_cp)
{
OPJ_UINT32 i, l_width, l_height;
OPJ_INT32 l_x0, l_y0, l_x1, l_y1;
OPJ_INT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1;
OPJ_UINT32 l_x0, l_y0, l_x1, l_y1;
OPJ_UINT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1;
opj_image_comp_t* l_img_comp = NULL;
l_x0 = opj_int_max((OPJ_INT32)p_cp->tx0 , (OPJ_INT32)p_image_header->x0);
l_y0 = opj_int_max((OPJ_INT32)p_cp->ty0 , (OPJ_INT32)p_image_header->y0);
l_x1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + p_cp->tw * p_cp->tdx), (OPJ_INT32)p_image_header->x1);
l_y1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + p_cp->th * p_cp->tdy), (OPJ_INT32)p_image_header->y1);
l_x0 = opj_uint_max(p_cp->tx0 , p_image_header->x0);
l_y0 = opj_uint_max(p_cp->ty0 , p_image_header->y0);
l_x1 = p_cp->tx0 + (p_cp->tw - 1U) * p_cp->tdx; /* validity of p_cp members used here checked in opj_j2k_read_siz. Can't overflow. */
l_y1 = p_cp->ty0 + (p_cp->th - 1U) * p_cp->tdy; /* can't overflow */
l_x1 = opj_uint_min(opj_uint_adds(l_x1, p_cp->tdx), p_image_header->x1); /* use add saturated to prevent overflow */
l_y1 = opj_uint_min(opj_uint_adds(l_y1, p_cp->tdy), p_image_header->y1); /* use add saturated to prevent overflow */
l_img_comp = p_image_header->comps;
for (i = 0; i < p_image_header->numcomps; ++i) {
l_comp_x0 = opj_int_ceildiv(l_x0, (OPJ_INT32)l_img_comp->dx);
l_comp_y0 = opj_int_ceildiv(l_y0, (OPJ_INT32)l_img_comp->dy);
l_comp_x1 = opj_int_ceildiv(l_x1, (OPJ_INT32)l_img_comp->dx);
l_comp_y1 = opj_int_ceildiv(l_y1, (OPJ_INT32)l_img_comp->dy);
l_width = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_x1 - l_comp_x0, (OPJ_INT32)l_img_comp->factor);
l_height = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_y1 - l_comp_y0, (OPJ_INT32)l_img_comp->factor);
l_comp_x0 = opj_uint_ceildiv(l_x0, l_img_comp->dx);
l_comp_y0 = opj_uint_ceildiv(l_y0, l_img_comp->dy);
l_comp_x1 = opj_uint_ceildiv(l_x1, l_img_comp->dx);
l_comp_y1 = opj_uint_ceildiv(l_y1, l_img_comp->dy);
l_width = opj_uint_ceildivpow2(l_comp_x1 - l_comp_x0, l_img_comp->factor);
l_height = opj_uint_ceildivpow2(l_comp_y1 - l_comp_y0, l_img_comp->factor);
l_img_comp->w = l_width;
l_img_comp->h = l_height;
l_img_comp->x0 = (OPJ_UINT32)l_comp_x0/*l_x0*/;
l_img_comp->y0 = (OPJ_UINT32)l_comp_y0/*l_y0*/;
l_img_comp->x0 = l_comp_x0;
l_img_comp->y0 = l_comp_y0;
++l_img_comp;
}
}

View File

@ -137,6 +137,15 @@ Divide an integer by a power of 2 and round upwards
static INLINE OPJ_INT32 opj_int_ceildivpow2(OPJ_INT32 a, OPJ_INT32 b) {
return (OPJ_INT32)((a + (OPJ_INT64)(1 << b) - 1) >> b);
}
/**
Divide an integer by a power of 2 and round upwards
@return Returns a divided by 2^b
*/
static INLINE OPJ_UINT32 opj_uint_ceildivpow2(OPJ_UINT32 a, OPJ_UINT32 b) {
return (OPJ_UINT32)((a + (OPJ_UINT64)(1U << b) - 1U) >> b);
}
/**
Divide an integer by a power of 2 and round downwards
@return Returns a divided by 2^b

View File

@ -179,3 +179,6 @@ ec8d1c99db9763a8ba489df4f41dda53 issue411-ycc420.jp2_2.pgx
f004b48eafb2e52529cc9c7b6a3ff5d2 issue458.jp2_1.pgx
3127bd0a591d113c3c2428c8d2c14ec8 issue458.jp2_2.pgx
dacaf60e4c430916a8c2a9ebec32e71c issue458.jp2_3.pgx
d33fb5dbddb9b9b4438eb51fa27445a3 issue495.jp2_0.pgx
27db8c35e12a5d5eb94d403d2aae2909 issue495.jp2_1.pgx
97da625d2f2d0b75bf891d8083ce8bfb issue495.jp2_2.pgx

View File

@ -264,6 +264,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue458.jp2 -o @TEMP_PATH@/issue458.jp2.pgx
!opj_decompress -i @INPUT_NR_PATH@/issue476.jp2 -o @TEMP_PATH@/issue476.jp2.pgx
# issue 475 Invalid number of layers
!opj_decompress -i @INPUT_NR_PATH@/issue475.jp2 -o @TEMP_PATH@/issue475.jp2.pgx
# issue 495 Overflow op_image_comp_header_updat
opj_decompress -i @INPUT_NR_PATH@/issue495.jp2 -o @TEMP_PATH@/issue495.jp2.pgx
# decode with specific area