opj_j2k_merge_ppm(): avoid unsigned-integer-overflow at j2k.c:3962 (#1490)

author: headshog <craaaaaachind@gmail.com> 2023-12-06 17:30:29 +0300
committer: Even Rouault <even.rouault@spatialys.com> 2023-12-08 15:03:54 +0100
commit: a817136f7edbd0e9d9ce46d1faf15506ed9478a0 (patch)
tree: e6fdc3507fdf2451f0dd1e52571a2f44b6711bc5 /src/lib
parent: 6af39314bdb43cb9c7adcdbc7aa9381af42b52ba (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 9dbba8f1..9db1bbd7 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -3959,9 +3959,12 @@ static OPJ_BOOL opj_j2k_merge_ppm(opj_cp_t *p_cp, opj_event_mgr_t * p_manager)
                     opj_read_bytes(l_data, &l_N_ppm, 4);
                     l_data += 4;
                     l_data_size -= 4;
-                    l_ppm_data_size +=
-                        l_N_ppm; /* can't overflow, max 256 markers of max 65536 bytes, that is when PPM markers are not corrupted which is checked elsewhere */
 
+                    if (l_ppm_data_size > UINT_MAX - l_N_ppm) {
+                        opj_event_msg(p_manager, EVT_ERROR, "Too large value for Nppm\n");
+                        return OPJ_FALSE;
+                    }
+                    l_ppm_data_size += l_N_ppm;
                     if (l_data_size >= l_N_ppm) {
                         l_data_size -= l_N_ppm;
                         l_data += l_N_ppm;
author	headshog <craaaaaachind@gmail.com>	2023-12-06 17:30:29 +0300
committer	Even Rouault <even.rouault@spatialys.com>	2023-12-08 15:03:54 +0100
commit	a817136f7edbd0e9d9ce46d1faf15506ed9478a0 (patch)
tree	e6fdc3507fdf2451f0dd1e52571a2f44b6711bc5 /src/lib
parent	6af39314bdb43cb9c7adcdbc7aa9381af42b52ba (diff)