[trunk] check possible overflow on size in opj_t2_read_packet_data

Update issue 390 Labels: Priority-Critical Should be rechecked with ASan and pdfium
author: Antonin Descampe <antonin@gmail.com> 2014-09-30 10:07:09 +0000
committer: Antonin Descampe <antonin@gmail.com> 2014-09-30 10:07:09 +0000
commit: 45f33cdbd633fdeb63f03c750af14508107a1932 (patch)
tree: 2e95dea7424c674bd19e668468c3c640d6d76399 /src
parent: 1acfa211ae85f2716064f041868f0fc5d6427590 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
index efba2309..f2a7c9a5 100644
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -1157,6 +1157,12 @@ OPJ_BOOL opj_t2_read_packet_data(   opj_t2_t* p_t2,
                                 };
 
 #endif /* USE_JPWL */
+                                /* Check possible overflow on size */
+                                if ((l_cblk->data_current_size + l_seg->newlen) < l_cblk->data_current_size) {
+                                        fprintf(stderr, "read: segment too long (%d) with current size (%d > %d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n",
+                                                l_seg->newlen, l_cblk->data_current_size, 0xFFFFFFFF - l_seg->newlen, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno);
+                                        return OPJ_FALSE;
+                                }
                                 /* Check if the cblk->data have allocated enough memory */
                                 if ((l_cblk->data_current_size + l_seg->newlen) > l_cblk->data_max_size) {
                                     OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen);
author	Antonin Descampe <antonin@gmail.com>	2014-09-30 10:07:09 +0000
committer	Antonin Descampe <antonin@gmail.com>	2014-09-30 10:07:09 +0000
commit	45f33cdbd633fdeb63f03c750af14508107a1932 (patch)
tree	2e95dea7424c674bd19e668468c3c640d6d76399 /src
parent	1acfa211ae85f2716064f041868f0fc5d6427590 (diff)