diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2017-07-29 19:03:13 +0200 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2017-07-29 19:03:13 +0200 |
| commit | 11445eddad7e7fa5b273d1c83c91011c44e5d586 (patch) | |
| tree | fa10a51882c4d8122c1caca5a07837a275a65279 /src | |
| parent | 3fbe71369019df0b47c7a2be4fab8c05768f2f32 (diff) | |
opj_pi_update_decode_poc(): limit layno1 to the number of layers (CVE-2016-1626 and CVE-2016-1628, #850)
This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/openjp2/pi.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c index c256349b..df96ac21 100644 --- a/src/lib/openjp2/pi.c +++ b/src/lib/openjp2/pi.c @@ -1213,7 +1213,8 @@ static void opj_pi_update_decode_poc(opj_pi_iterator_t * p_pi, l_current_poc->resno1; /* Resolution Level Index #0 (End) */ l_current_pi->poc.compno1 = l_current_poc->compno1; /* Component Index #0 (End) */ - l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */ + l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1, + p_tcp->numlayers); /* Layer Index #0 (End) */ l_current_pi->poc.precno1 = p_max_precision; ++l_current_pi; ++l_current_poc; |