diff options
| author | Antonin Descampe <antonin@gmail.com> | 2014-10-06 21:05:21 +0000 |
|---|---|---|
| committer | Antonin Descampe <antonin@gmail.com> | 2014-10-06 21:05:21 +0000 |
| commit | 7256e43c48ba5f7b1b8ee2927a52dc783a7ab3ed (patch) | |
| tree | 266f674e16fee4600e923df0c4d1a7d4495d172c /src/lib | |
| parent | a0a3af1dee52e93ddbcdef867f547c66e1d2104f (diff) | |
[trunk] fixed PDF crash in Chrome (fixes issue 362)
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/openjp2/j2k.c | 9 | ||||
| -rw-r--r-- | src/lib/openjp2/jp2.c | 8 |
2 files changed, 16 insertions, 1 deletions
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index f633f4fc..9b95b57e 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -3641,6 +3641,15 @@ OPJ_BOOL j2k_read_ppm_v3 ( if (p_header_size) { + if (p_header_size < 4) { + opj_free(l_cp->ppm_data); + l_cp->ppm_data = NULL; + l_cp->ppm_buffer = NULL; /* TODO: no need for a new local variable: ppm_buffer and ppm_data are enough */ + l_cp->ppm_len = 0; + l_cp->ppm = 0; + opj_event_msg(p_manager, EVT_ERROR, "Error reading PPM marker\n"); + return OPJ_FALSE; + } opj_read_bytes(p_header_data,&l_N_ppm,4); /* N_ppm^i */ p_header_data+=4; p_header_size-=4; diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c index b52bd445..d408d8e4 100644 --- a/src/lib/openjp2/jp2.c +++ b/src/lib/openjp2/jp2.c @@ -1843,7 +1843,7 @@ OPJ_BOOL opj_jp2_read_header_procedure( opj_jp2_t *jp2, return OPJ_FALSE; } /* testcase 1851.pdf.SIGSEGV.ce9.948 */ - else if (box.length < l_nb_bytes_read) { + else if (box.length < l_nb_bytes_read) { opj_event_msg(p_manager, EVT_ERROR, "invalid box size %d (%x)\n", box.length, box.type); opj_free(l_current_data); return OPJ_FALSE; @@ -1853,6 +1853,12 @@ OPJ_BOOL opj_jp2_read_header_procedure( opj_jp2_t *jp2, l_current_data_size = box.length - l_nb_bytes_read; if (l_current_handler != 00) { + if ((OPJ_OFF_T)l_current_data_size > opj_stream_get_number_byte_left(stream)) { + /* do not even try to malloc if we can't read */ + opj_event_msg(p_manager, EVT_ERROR, "Invalid box size %d for box '%c%c%c%c'. Need %d bytes, %d bytes remaining \n", box.length, (OPJ_BYTE)(box.type>>24), (OPJ_BYTE)(box.type>>16), (OPJ_BYTE)(box.type>>8), (OPJ_BYTE)(box.type>>0), l_current_data_size, (OPJ_UINT32)opj_stream_get_number_byte_left(stream)); + opj_free(l_current_data); + return OPJ_FALSE; + } if (l_current_data_size > l_last_data_size) { OPJ_BYTE* new_current_data = (OPJ_BYTE*)opj_realloc(l_current_data,l_current_data_size); if (!new_current_data) { |