diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2017-07-30 18:43:25 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2017-07-30 18:43:25 +0200 |
| commit | c22cbd8bdf8ff2ae372f94391a4be2d322b36b41 (patch) | |
| tree | 1fc5f67a7ffd985526567f867b8bbe9f4ee89408 /src/bin | |
| parent | 83342f2aafcab4599b49f780e35fd249e8402b61 (diff) | |
Avoid heap buffer overflow in function pnmtoimage of convert.c, and unsigned integer overflow in opj_image_create() (CVE-2016-9118, #861)
Diffstat (limited to 'src/bin')
| -rw-r--r-- | src/bin/jp2/convert.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c index b3eb8581..492911c9 100644 --- a/src/bin/jp2/convert.c +++ b/src/bin/jp2/convert.c @@ -41,6 +41,7 @@ #include <stdlib.h> #include <string.h> #include <ctype.h> +#include <limits.h> #include "openjpeg.h" #include "convert.h" @@ -1731,6 +1732,15 @@ opj_image_t* pnmtoimage(const char *filename, opj_cparameters_t *parameters) return NULL; } + /* This limitation could be removed by making sure to use size_t below */ + if (header_info.height != 0 && + header_info.width > INT_MAX / header_info.height) { + fprintf(stderr, "pnmtoimage:Image %dx%d too big!\n", + header_info.width, header_info.height); + fclose(fp); + return NULL; + } + format = header_info.format; switch (format) { |