diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2017-07-26 11:30:56 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2017-07-26 11:32:41 +0200 |
| commit | d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b (patch) | |
| tree | 488cd1e4e9eba140026852dc2ba354510798b8f9 /src/lib | |
| parent | 39e962a0ca5e53722f6badda8e93681aad412cf1 (diff) | |
Avoid division by zero in opj_pi_next_rpcl, opj_pi_next_pcrl and opj_pi_next_cprl (#938)
Fixes issues with id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 and
id:000019,sig:08,src:001098,op:flip1,pos:49
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/openjp2/pi.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c index c1724fd6..798867a8 100644 --- a/src/lib/openjp2/pi.c +++ b/src/lib/openjp2/pi.c @@ -369,6 +369,17 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi) try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); rpx = res->pdx + levelno; rpy = res->pdy + levelno; + + /* To avoid divisions by zero / undefined behaviour on shift */ + /* in below tests */ + /* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */ + /* of https://github.com/uclouvain/openjpeg/issues/938 */ + if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || + rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { + continue; + } + + /* See ISO-15441. B.12.1.3 Resolution level-position-component-layer progression */ if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))) { continue; @@ -464,6 +475,17 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); rpx = res->pdx + levelno; rpy = res->pdy + levelno; + + /* To avoid divisions by zero / undefined behaviour on shift */ + /* in below tests */ + /* Relates to id:000019,sig:08,src:001098,op:flip1,pos:49 */ + /* of https://github.com/uclouvain/openjpeg/issues/938 */ + if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || + rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { + continue; + } + + /* See ISO-15441. B.12.1.4 Position-component-resolution level-layer progression */ if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))) { continue; @@ -557,6 +579,17 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); rpx = res->pdx + levelno; rpy = res->pdy + levelno; + + /* To avoid divisions by zero / undefined behaviour on shift */ + /* in below tests */ + /* Fixes reading id:000019,sig:08,src:001098,op:flip1,pos:49 */ + /* of https://github.com/uclouvain/openjpeg/issues/938 */ + if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || + rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { + continue; + } + + /* See ISO-15441. B.12.1.5 Component-position-resolution level-layer progression */ if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))) { continue; |