opj_j2k_read_sot(): check current TPSot number regarding previous (non-zero) TNsot to avoid opj_j2k_merge_ppt() to be called several times. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2851. Credit to OSS Fuzz

author: Even Rouault <even.rouault@spatialys.com> 2017-08-04 18:01:29 +0200
committer: Even Rouault <even.rouault@spatialys.com> 2017-08-04 18:02:10 +0200
commit: 2fbd4bb0b9c6178f12c852dc40db6ab05734bfe2 (patch)
tree: 2a798aa333d83166f9e1d9f3d267c586fa042d02 /src
parent: 155fc2e279b85bd04709967b2797de4f69b0cf3e (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 21befaa8..76efb018 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -4378,6 +4378,16 @@ static OPJ_BOOL opj_j2k_read_sot(opj_j2k_t *p_j2k,
         p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;
     }
 
+    if (l_tcp->m_nb_tile_parts != 0 && l_current_part >= l_tcp->m_nb_tile_parts) {
+        /* Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2851 */
+        opj_event_msg(p_manager, EVT_ERROR,
+                      "In SOT marker, TPSot (%d) is not valid regards to the previous "
+                      "number of tile-part (%d), giving up\n", l_current_part,
+                      l_tcp->m_nb_tile_parts);
+        p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;
+        return OPJ_FALSE;
+    }
+
     if (l_num_parts !=
             0) { /* Number of tile-part header is provided by this tile-part header */
         l_num_parts += p_j2k->m_specific_param.m_decoder.m_nb_tile_parts_correction;
author	Even Rouault <even.rouault@spatialys.com>	2017-08-04 18:01:29 +0200
committer	Even Rouault <even.rouault@spatialys.com>	2017-08-04 18:02:10 +0200
commit	2fbd4bb0b9c6178f12c852dc40db6ab05734bfe2 (patch)
tree	2a798aa333d83166f9e1d9f3d267c586fa042d02 /src
parent	155fc2e279b85bd04709967b2797de4f69b0cf3e (diff)