[trunk] Fix Heap-based buffer-overflow when decoding openjpeg image

Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for report This does not affect release 1.5.0 and/or 1.5 release branch. Fixes issue 170
author: Mathieu Malaterre <mathieu.malaterre@gmail.com> 2012-09-10 11:05:15 +0000
committer: Mathieu Malaterre <mathieu.malaterre@gmail.com> 2012-09-10 11:05:15 +0000
commit: 1ff1401ff1d4b1fa7e76928b16025dbc039a5d58 (patch)
tree: 4beb4e4fadc3e8ef26d7245e78fecb1e17f5421b
parent: 3991bbe59537e26b132be1c6af16112283bf1ace (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libopenjpeg/t2.c b/libopenjpeg/t2.c
index 573c2677..207287d4 100644
--- a/libopenjpeg/t2.c
+++ b/libopenjpeg/t2.c
@@ -1826,6 +1826,10 @@ static opj_bool t2_read_packet_data(
 
 #endif /* USE_JPWL */
 
+                                if ((l_cblk->len + l_seg->newlen) > 8192) {
+                                        return OPJ_FALSE;
+                                }
+                               
                                 memcpy(l_cblk->data + l_cblk->len, l_current_data, l_seg->newlen);
 
                                 if (l_seg->numpasses == 0) {
author	Mathieu Malaterre <mathieu.malaterre@gmail.com>	2012-09-10 11:05:15 +0000
committer	Mathieu Malaterre <mathieu.malaterre@gmail.com>	2012-09-10 11:05:15 +0000
commit	1ff1401ff1d4b1fa7e76928b16025dbc039a5d58 (patch)
tree	4beb4e4fadc3e8ef26d7245e78fecb1e17f5421b
parent	3991bbe59537e26b132be1c6af16112283bf1ace (diff)