Avoid asserting on assert(i == pcol) in opj_jp2_apply_pclr() by adding new check in opj_jp2_check_color(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3068. Credit to OSS Fuzz

author: Even Rouault <even.rouault@spatialys.com> 2017-08-17 11:05:53 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2017-08-17 11:05:53 +0200
commit: 09e83407fa2b53c606d3179031b8d8b31272e20c (patch)
tree: ef5db860359927dd833d800bcae2cd408136093c /src/lib
parent: 8e6c371e66d9c579048fd336cc3365869486080a (diff)
1 files changed, 14 insertions, 5 deletions
diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index f3ccb997..372b2130 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -958,26 +958,35 @@ static OPJ_BOOL opj_jp2_check_color(opj_image_t *image, opj_jp2_color_t *color,
         }
         /* verify that no component is targeted more than once */
         for (i = 0; i < nr_channels; i++) {
-            OPJ_UINT16 pcol = cmap[i].pcol;
+            OPJ_BYTE mtyp = cmap[i].mtyp;
+            OPJ_BYTE pcol = cmap[i].pcol;
             /* See ISO 15444-1 Table I.14 – MTYPi field values */
-            if (cmap[i].mtyp != 0 && cmap[i].mtyp != 1) {
+            if (mtyp != 0 && mtyp != 1) {
                 opj_event_msg(p_manager, EVT_ERROR,
                               "Invalid value for cmap[%d].mtyp = %d.\n", i,
-                              cmap[i].mtyp);
+                              mtyp);
                 is_sane = OPJ_FALSE;
             } else if (pcol >= nr_channels) {
                 opj_event_msg(p_manager, EVT_ERROR,
                               "Invalid component/palette index for direct mapping %d.\n", pcol);
                 is_sane = OPJ_FALSE;
-            } else if (pcol_usage[pcol] && cmap[i].mtyp == 1) {
+            } else if (pcol_usage[pcol] && mtyp == 1) {
                 opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol);
                 is_sane = OPJ_FALSE;
-            } else if (cmap[i].mtyp == 0 && cmap[i].pcol != 0) {
+            } else if (mtyp == 0 && pcol != 0) {
                 /* I.5.3.5 PCOL: If the value of the MTYP field for this channel is 0, then
                  * the value of this field shall be 0. */
                 opj_event_msg(p_manager, EVT_ERROR, "Direct use at #%d however pcol=%d.\n", i,
                               pcol);
                 is_sane = OPJ_FALSE;
+            } else if (mtyp == 1 && pcol != i) {
+                /* OpenJPEG implementation limitation. See assert(i == pcol); */
+                /* in opj_jp2_apply_pclr() */
+                opj_event_msg(p_manager, EVT_ERROR,
+                              "Implementation limitation: for palette mapping, "
+                              "pcol[%d] should be equal to %d, but is equal "
+                              "to %d.\n", i, i, pcol);
+                is_sane = OPJ_FALSE;
             } else {
                 pcol_usage[pcol] = OPJ_TRUE;
             }
author	Even Rouault <even.rouault@spatialys.com>	2017-08-17 11:05:53 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2017-08-17 11:05:53 +0200
commit	09e83407fa2b53c606d3179031b8d8b31272e20c (patch)
tree	ef5db860359927dd833d800bcae2cd408136093c /src/lib
parent	8e6c371e66d9c579048fd336cc3365869486080a (diff)