projects
/
openjpeg.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
opj_t2_encode_packet(): fix potential write heap buffer overflow (#992)
[openjpeg.git]
/
src
/
lib
/
openjp2
/
t2.c
diff --git
a/src/lib/openjp2/t2.c
b/src/lib/openjp2/t2.c
index 9d31acda81f7aad45fe3e2bba40464d9670eb0eb..0fd5300c69b3649b9f31c21d0bf6f799bf45f39f 100644
(file)
--- a/
src/lib/openjp2/t2.c
+++ b/
src/lib/openjp2/t2.c
@@
-629,6
+629,15
@@
static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
/* <SOP 0xff91> */
if (tcp->csty & J2K_CP_CSTY_SOP) {
/* <SOP 0xff91> */
if (tcp->csty & J2K_CP_CSTY_SOP) {
+ if (length < 6) {
+ if (p_t2_mode == FINAL_PASS) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "opj_t2_encode_packet(): only %u bytes remaining in "
+ "output buffer. %u needed.\n",
+ length, 6);
+ }
+ return OPJ_FALSE;
+ }
c[0] = 255;
c[1] = 145;
c[2] = 0;
c[0] = 255;
c[1] = 145;
c[2] = 0;
@@
-817,6
+826,15
@@
static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
/* <EPH 0xff92> */
if (tcp->csty & J2K_CP_CSTY_EPH) {
/* <EPH 0xff92> */
if (tcp->csty & J2K_CP_CSTY_EPH) {
+ if (length < 2) {
+ if (p_t2_mode == FINAL_PASS) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "opj_t2_encode_packet(): only %u bytes remaining in "
+ "output buffer. %u needed.\n",
+ length, 2);
+ }
+ return OPJ_FALSE;
+ }
c[0] = 255;
c[1] = 146;
c += 2;
c[0] = 255;
c[1] = 146;
c += 2;