Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions. Credit to Google Autofuzz project for providing test case

author: Even Rouault <even.rouault@spatialys.com> 2018-02-11 13:31:04 +0100
committer: Even Rouault <even.rouault@spatialys.com> 2018-02-11 13:31:04 +0100
commit: da5e897232ef824daf9a492e746ed22cf2a43f18 (patch)
tree: bdf2c9f0917640ba95cfdd546c094f421225ee68 /src/lib
parent: d96d2b9a2524f41a8e024462f94417c09747ba99 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index 1dd15405..be3b8436 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1067,6 +1067,12 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
 
                     l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
                     /*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch);      */
+                    if ((((OPJ_UINT32) - 1) / (OPJ_UINT32)sizeof_block) <
+                            l_nb_code_blocks) {
+                        opj_event_msg(manager, EVT_ERROR,
+                                      "Size of code block data exceeds system limits\n");
+                        return OPJ_FALSE;
+                    }
                     l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
 
                     if (!l_current_precinct->cblks.blocks && (l_nb_code_blocks > 0U)) {
author	Even Rouault <even.rouault@spatialys.com>	2018-02-11 13:31:04 +0100
committer	Even Rouault <even.rouault@spatialys.com>	2018-02-11 13:31:04 +0100
commit	da5e897232ef824daf9a492e746ed22cf2a43f18 (patch)
tree	bdf2c9f0917640ba95cfdd546c094f421225ee68 /src/lib
parent	d96d2b9a2524f41a8e024462f94417c09747ba99 (diff)