diff options
| author | Matthieu Darbois <mayeut@users.noreply.github.com> | 2014-12-18 22:56:38 +0000 |
|---|---|---|
| committer | Matthieu Darbois <mayeut@users.noreply.github.com> | 2014-12-18 22:56:38 +0000 |
| commit | 58fc86452dbe0ebfd62077c0d8ec3db688417d3a (patch) | |
| tree | db530efa79dde7bb3af7d60d414d20c91ae7116b /src/lib | |
| parent | c0cb119c0e6a18b6a9ac2ee4305acfb71b06a63c (diff) | |
[trunk] Fixed a crash on illegal tile offset when decoding
Update issue 427
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/openjp2/j2k.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 656bf6de..cf4114d7 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -1919,7 +1919,7 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k, OPJ_UINT32 l_nb_comp_remain; OPJ_UINT32 l_remaining_size; OPJ_UINT32 l_nb_tiles; - OPJ_UINT32 l_tmp; + OPJ_UINT32 l_tmp, l_tx1, l_ty1; opj_image_t *l_image = 00; opj_cp_t *l_cp = 00; opj_image_comp_t * l_img_comp = 00; @@ -1998,6 +1998,20 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k, return OPJ_FALSE; } + /* testcase issue427-illegal-tile-offset.jp2 */ + l_tx1 = l_cp->tx0 + l_cp->tdx; + if (l_tx1 < l_cp->tx0) { /* manage overflow */ + l_tx1 = 0xFFFFFFFFU; + } + l_ty1 = l_cp->ty0 + l_cp->tdy; + if (l_ty1 < l_cp->ty0) { /* manage overflow */ + l_ty1 = 0xFFFFFFFFU; + } + if ((l_cp->tx0 > l_image->x0) || (l_cp->ty0 > l_image->y0) || (l_tx1 <= l_image->x0) || (l_ty1 <= l_image->y0) ) { + opj_event_msg(p_manager, EVT_ERROR, "Error with SIZ marker: illegal tile offset\n"); + return OPJ_FALSE; + } + #ifdef USE_JPWL if (l_cp->correct) { /* if JPWL is on, we check whether TX errors have damaged |