diff options
| author | Mathieu Malaterre <mathieu.malaterre@gmail.com> | 2014-02-25 13:38:32 +0000 |
|---|---|---|
| committer | Mathieu Malaterre <mathieu.malaterre@gmail.com> | 2014-02-25 13:38:32 +0000 |
| commit | 901c9d8ae02a264fef45f700e11e7cda99b1d9ed (patch) | |
| tree | 4f313751c50409fd65f45b1c8dd739b56750e3c5 /src/lib | |
| parent | 6145c8280478c84658982d110dbc72fff4979e0d (diff) | |
[trunk] Import commit fc884aee2b69c78500e65c3d05bf216791a9ea4a from ghostpdl
prevent heap overflow in opj_t2_read_packet_header
Also prevent a double-free of segment data under OOM conditions.
Problem found in a test file, 1802.pdf.SIGSEGV.36e.894 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Update issue 225
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/openjp2/t2.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c index a3cf75d9..7c1eb704 100644 --- a/src/lib/openjp2/t2.c +++ b/src/lib/openjp2/t2.c @@ -981,6 +981,11 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2, do { l_cblk->segs[l_segno].numnewpasses = opj_int_min(l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses, n); l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses)); + /* testcase 1802.pdf.SIGSEGV.36e.894 */ + if (l_cblk->segs[l_segno].newlen > *l_modified_length_ptr) { + opj_bio_destroy(l_bio); + return OPJ_FALSE; + } n -= l_cblk->segs[l_segno].numnewpasses; if (n > 0) { @@ -1116,6 +1121,7 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2, OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen); if(! new_cblk_data) { opj_free(l_cblk->data); + l_cblk->data = NULL; l_cblk->data_max_size = 0; /* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */ return OPJ_FALSE; |