Encoder: grow buffer size in opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in opj_mqc_flush (fixes #1283)

This commit is contained in:
Even Rouault 2020-11-23 13:49:05 +01:00
parent 67ec360f48
commit eaa098b59b
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 3 additions and 1 deletions

View File

@ -1243,9 +1243,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
/* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
/* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
/* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
/* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
/* TODO: is there a theoretical upper-bound for the compressed code */ /* TODO: is there a theoretical upper-bound for the compressed code */
/* block size ? */ /* block size ? */
l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) { if (l_data_size > p_code_block->data_size) {