From e3291c4e1f26c1f756e360110423ab0a63be4204 Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Wed, 27 May 2015 23:05:16 +0000 Subject: [trunk] Fix overflow in opj_image_comp_header_update (fixes issue 495) --- src/lib/openjp2/image.c | 30 ++++++++++++++++-------------- src/lib/openjp2/opj_intmath.h | 9 +++++++++ 2 files changed, 25 insertions(+), 14 deletions(-) (limited to 'src/lib') diff --git a/src/lib/openjp2/image.c b/src/lib/openjp2/image.c index 8e68668e..3646e998 100644 --- a/src/lib/openjp2/image.c +++ b/src/lib/openjp2/image.c @@ -107,27 +107,29 @@ void OPJ_CALLCONV opj_image_destroy(opj_image_t *image) { void opj_image_comp_header_update(opj_image_t * p_image_header, const struct opj_cp * p_cp) { OPJ_UINT32 i, l_width, l_height; - OPJ_INT32 l_x0, l_y0, l_x1, l_y1; - OPJ_INT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1; + OPJ_UINT32 l_x0, l_y0, l_x1, l_y1; + OPJ_UINT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1; opj_image_comp_t* l_img_comp = NULL; - l_x0 = opj_int_max((OPJ_INT32)p_cp->tx0 , (OPJ_INT32)p_image_header->x0); - l_y0 = opj_int_max((OPJ_INT32)p_cp->ty0 , (OPJ_INT32)p_image_header->y0); - l_x1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + p_cp->tw * p_cp->tdx), (OPJ_INT32)p_image_header->x1); - l_y1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + p_cp->th * p_cp->tdy), (OPJ_INT32)p_image_header->y1); + l_x0 = opj_uint_max(p_cp->tx0 , p_image_header->x0); + l_y0 = opj_uint_max(p_cp->ty0 , p_image_header->y0); + l_x1 = p_cp->tx0 + (p_cp->tw - 1U) * p_cp->tdx; /* validity of p_cp members used here checked in opj_j2k_read_siz. Can't overflow. */ + l_y1 = p_cp->ty0 + (p_cp->th - 1U) * p_cp->tdy; /* can't overflow */ + l_x1 = opj_uint_min(opj_uint_adds(l_x1, p_cp->tdx), p_image_header->x1); /* use add saturated to prevent overflow */ + l_y1 = opj_uint_min(opj_uint_adds(l_y1, p_cp->tdy), p_image_header->y1); /* use add saturated to prevent overflow */ l_img_comp = p_image_header->comps; for (i = 0; i < p_image_header->numcomps; ++i) { - l_comp_x0 = opj_int_ceildiv(l_x0, (OPJ_INT32)l_img_comp->dx); - l_comp_y0 = opj_int_ceildiv(l_y0, (OPJ_INT32)l_img_comp->dy); - l_comp_x1 = opj_int_ceildiv(l_x1, (OPJ_INT32)l_img_comp->dx); - l_comp_y1 = opj_int_ceildiv(l_y1, (OPJ_INT32)l_img_comp->dy); - l_width = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_x1 - l_comp_x0, (OPJ_INT32)l_img_comp->factor); - l_height = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_y1 - l_comp_y0, (OPJ_INT32)l_img_comp->factor); + l_comp_x0 = opj_uint_ceildiv(l_x0, l_img_comp->dx); + l_comp_y0 = opj_uint_ceildiv(l_y0, l_img_comp->dy); + l_comp_x1 = opj_uint_ceildiv(l_x1, l_img_comp->dx); + l_comp_y1 = opj_uint_ceildiv(l_y1, l_img_comp->dy); + l_width = opj_uint_ceildivpow2(l_comp_x1 - l_comp_x0, l_img_comp->factor); + l_height = opj_uint_ceildivpow2(l_comp_y1 - l_comp_y0, l_img_comp->factor); l_img_comp->w = l_width; l_img_comp->h = l_height; - l_img_comp->x0 = (OPJ_UINT32)l_comp_x0/*l_x0*/; - l_img_comp->y0 = (OPJ_UINT32)l_comp_y0/*l_y0*/; + l_img_comp->x0 = l_comp_x0; + l_img_comp->y0 = l_comp_y0; ++l_img_comp; } } diff --git a/src/lib/openjp2/opj_intmath.h b/src/lib/openjp2/opj_intmath.h index 4e299469..8fa89c03 100644 --- a/src/lib/openjp2/opj_intmath.h +++ b/src/lib/openjp2/opj_intmath.h @@ -137,6 +137,15 @@ Divide an integer by a power of 2 and round upwards static INLINE OPJ_INT32 opj_int_ceildivpow2(OPJ_INT32 a, OPJ_INT32 b) { return (OPJ_INT32)((a + (OPJ_INT64)(1 << b) - 1) >> b); } + +/** + Divide an integer by a power of 2 and round upwards + @return Returns a divided by 2^b + */ +static INLINE OPJ_UINT32 opj_uint_ceildivpow2(OPJ_UINT32 a, OPJ_UINT32 b) { + return (OPJ_UINT32)((a + (OPJ_UINT64)(1U << b) - 1U) >> b); +} + /** Divide an integer by a power of 2 and round downwards @return Returns a divided by 2^b -- cgit v1.2.3