walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

opj_t1_clbl_decode_processor(): avoid undefined behaviour if roishift >= 31. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2506. Credit to OSS Fuzz

This commit is contained in:
Even Rouault 2017-07-29 16:29:11 +02:00
parent 9906fbf737
commit f6551f822f
1 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/lib/openjp2/t1.c
View File

@ -1685,6 +1685,13 @@ static void opj_t1_clbl_decode_processor(void* user_data, opj_tls_t* tls)
cblk_h = t1->h; cblk_h = t1->h;
if (tccp->roishift) { if (tccp->roishift) {
if (tccp->roishift >= 31) {
for (j = 0; j < cblk_h; ++j) {
for (i = 0; i < cblk_w; ++i) {
datap[(j * cblk_w) + i] = 0;
}
}
} else {
OPJ_INT32 thresh = 1 << tccp->roishift; OPJ_INT32 thresh = 1 << tccp->roishift;
for (j = 0; j < cblk_h; ++j) { for (j = 0; j < cblk_h; ++j) {
for (i = 0; i < cblk_w; ++i) { for (i = 0; i < cblk_w; ++i) {
@ -1697,6 +1704,7 @@ static void opj_t1_clbl_decode_processor(void* user_data, opj_tls_t* tls)
} }
} }
} }
}
if (tccp->qmfbid == 1) { if (tccp->qmfbid == 1) {
OPJ_INT32* OPJ_RESTRICT tiledp = &tilec->data[(OPJ_UINT32)y * tile_w + OPJ_INT32* OPJ_RESTRICT tiledp = &tilec->data[(OPJ_UINT32)y * tile_w +
(OPJ_UINT32)x]; (OPJ_UINT32)x];