Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr (#1441)

The issue was found while fuzzing opencv: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342 The read overflow triggered by reading `src[j]` in ```cpp for (j = 0; j < max; ++j) { dst[j] = src[j]; } ``` The max is calculated as `new_comps[pcol].w * new_comps[pcol].h`, however the `src = old_comps[cmp].data;` which may have different `w` and `h` dimensions.
author: Aleks L <93376818+sashashura@users.noreply.github.com> 2022-08-12 14:48:41 +0100
committer: GitHub <noreply@github.com> 2022-08-12 15:48:41 +0200
commit: be95561917aa9b1d8ea4614820a534917cfa6bbe (patch)
tree: d118c9a4b4489d2a170902824681206d986cd7d2 /src/lib
parent: 49fea5c45e9924621944d4d484a1d95559d09fbb (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index 17572195..ec202272 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -1108,7 +1108,7 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
         pcol = cmap[i].pcol;
         src = old_comps[cmp].data;
         assert(src); /* verified above */
-        max = new_comps[pcol].w * new_comps[pcol].h;
+        max = new_comps[i].w * new_comps[i].h;
 
         /* Direct use: */
         if (cmap[i].mtyp == 0) {
author	Aleks L <93376818+sashashura@users.noreply.github.com>	2022-08-12 14:48:41 +0100
committer	GitHub <noreply@github.com>	2022-08-12 15:48:41 +0200
commit	be95561917aa9b1d8ea4614820a534917cfa6bbe (patch)
tree	d118c9a4b4489d2a170902824681206d986cd7d2 /src/lib
parent	49fea5c45e9924621944d4d484a1d95559d09fbb (diff)