[1.5] Fix Heap-based buffer-overflow when decoding openjpeg image

Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for dataset to reproduce the issue. Fixes issue 170
author: Mathieu Malaterre <mathieu.malaterre@gmail.com> 2012-09-10 11:16:55 +0000
committer: Mathieu Malaterre <mathieu.malaterre@gmail.com> 2012-09-10 11:16:55 +0000
commit: 4776f4847774ca346da4d07d13c193f910d5cdeb (patch)
tree: d0c958992b97a83d383b1449017f318ee0c11026
parent: c2f32bb48567d637205b656e9ac1e427e130a21c (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/libopenjpeg/j2k.c b/libopenjpeg/j2k.c
index 093d3c5c..3f8e2790 100644
--- a/libopenjpeg/j2k.c
+++ b/libopenjpeg/j2k.c
@@ -694,6 +694,12 @@ static void j2k_read_cox(opj_j2k_t *j2k, int compno) {
 					"of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno);
 		j2k->state |= J2K_STATE_ERR;
 	}
+  if( tccp->numresolutions > J2K_MAXRLVLS ) {
+    opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
+      compno, tccp->numresolutions, J2K_MAXRLVLS);
+		j2k->state |= J2K_STATE_ERR;
+    tccp->numresolutions = J2K_MAXRLVLS;
+ }
 
 	tccp->cblkw = cio_read(cio, 1) + 2;	/* SPcox (E) */
 	tccp->cblkh = cio_read(cio, 1) + 2;	/* SPcox (F) */
author	Mathieu Malaterre <mathieu.malaterre@gmail.com>	2012-09-10 11:16:55 +0000
committer	Mathieu Malaterre <mathieu.malaterre@gmail.com>	2012-09-10 11:16:55 +0000
commit	4776f4847774ca346da4d07d13c193f910d5cdeb (patch)
tree	d0c958992b97a83d383b1449017f318ee0c11026
parent	c2f32bb48567d637205b656e9ac1e427e130a21c (diff)