[trunk] Fixed a crash on illegal tile offset when decoding

Update issue 427
author: Matthieu Darbois <mayeut@users.noreply.github.com> 2014-12-18 22:56:38 +0000
committer: Matthieu Darbois <mayeut@users.noreply.github.com> 2014-12-18 22:56:38 +0000
commit: 58fc86452dbe0ebfd62077c0d8ec3db688417d3a (patch)
tree: db530efa79dde7bb3af7d60d414d20c91ae7116b
parent: c0cb119c0e6a18b6a9ac2ee4305acfb71b06a63c (diff)
3 files changed, 18 insertions, 1 deletions
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 656bf6de..cf4114d7 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -1919,7 +1919,7 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k,
         OPJ_UINT32 l_nb_comp_remain;
         OPJ_UINT32 l_remaining_size;
         OPJ_UINT32 l_nb_tiles;
-        OPJ_UINT32 l_tmp;
+        OPJ_UINT32 l_tmp, l_tx1, l_ty1;
         opj_image_t *l_image = 00;
         opj_cp_t *l_cp = 00;
         opj_image_comp_t * l_img_comp = 00;
@@ -1998,6 +1998,20 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k,
                 return OPJ_FALSE;
         }
 
+        /* testcase issue427-illegal-tile-offset.jp2 */
+        l_tx1 = l_cp->tx0 + l_cp->tdx;
+        if (l_tx1 < l_cp->tx0) { /* manage overflow */
+                l_tx1 = 0xFFFFFFFFU;
+        }
+        l_ty1 = l_cp->ty0 + l_cp->tdy;
+        if (l_ty1 < l_cp->ty0) { /* manage overflow */
+                l_ty1 = 0xFFFFFFFFU;
+        }
+        if ((l_cp->tx0 > l_image->x0) || (l_cp->ty0 > l_image->y0) || (l_tx1 <= l_image->x0) || (l_ty1 <= l_image->y0) ) {
+                opj_event_msg(p_manager, EVT_ERROR, "Error with SIZ marker: illegal tile offset\n");
+                return OPJ_FALSE;
+        }
+
 #ifdef USE_JPWL
         if (l_cp->correct) {
                 /* if JPWL is on, we check whether TX errors have damaged
diff --git a/tests/nonregression/CMakeLists.txt b/tests/nonregression/CMakeLists.txt
index be349ec0..927120f4 100644
--- a/tests/nonregression/CMakeLists.txt
+++ b/tests/nonregression/CMakeLists.txt
@@ -44,6 +44,7 @@ set(BLACKLIST_JPEG2000_TMP
     edf_c2_1673169.jp2
     issue429.jp2
     issue427-null-image-size.jp2
+    issue427-illegal-tile-offset.jp2
    )
 
 # Define a list of file which should be gracefully rejected:
diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index ace54f94..afcf45d3 100644
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -231,6 +231,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue411-ycc420.jp2 -o @TEMP_PATH@/issue411-yc
 !opj_decompress -i @INPUT_NR_PATH@/issue432.jp2 -o @TEMP_PATH@/issue432.jp2.pgx
 # issue 427 image width is 0
 !opj_decompress -i @INPUT_NR_PATH@/issue427-null-image-size.jp2 -o @TEMP_PATH@/issue427-null-image-size.jp2.pgx
+# issue 427 illegal tile offset
+!opj_decompress -i @INPUT_NR_PATH@/issue427-illegal-tile-offset.jp2 -o @TEMP_PATH@/issue427-illegal-tile-offset.jp2.pgx
 
 # decode with specific area
 # prec=12; nb_c=1
author	Matthieu Darbois <mayeut@users.noreply.github.com>	2014-12-18 22:56:38 +0000
committer	Matthieu Darbois <mayeut@users.noreply.github.com>	2014-12-18 22:56:38 +0000
commit	58fc86452dbe0ebfd62077c0d8ec3db688417d3a (patch)
tree	db530efa79dde7bb3af7d60d414d20c91ae7116b
parent	c0cb119c0e6a18b6a9ac2ee4305acfb71b06a63c (diff)