opj_event_msg(p_manager, EVT_ERROR, "Error with SIZ marker: negative image size (%d x %d)\n", l_image->x1 - l_image->x0, l_image->y1 - l_image->y0);
return OPJ_FALSE;
}
+ /* testcase 2539.pdf.SIGFPE.706.1712 (also 3622.pdf.SIGFPE.706.2916 and 4008.pdf.SIGFPE.706.3345 and maybe more) */
+ if (!(l_cp->tdx * l_cp->tdy)) {
+ opj_event_msg(p_manager, EVT_ERROR, "Error with SIZ marker: invalid tile size (tdx: %d, tdy: %d)\n", l_cp->tdx, l_cp->tdy);
+ return OPJ_FALSE;
+ }
+
+ /* testcase 1610.pdf.SIGSEGV.59c.681 */
+ if (((OPJ_UINT64)l_image->x1) * ((OPJ_UINT64)l_image->y1) != (l_image->x1 * l_image->y1)) {
+ opj_event_msg(p_manager, EVT_ERROR, "Prevent buffer overflow (x1: %d, y1: %d)", l_image->x1, l_image->y1);
+ return OPJ_FALSE;
+ }
#ifdef USE_JPWL
if (l_cp->correct) {
opj_read_bytes(p_header_data,&(p_j2k->m_current_tile_number),2); /* Isot */
p_header_data+=2;
+ /* testcase 2.pdf.SIGFPE.706.1112 */
+ if (p_j2k->m_current_tile_number >= l_cp->tw * l_cp->th) {
+ opj_event_msg(p_manager, EVT_ERROR, "Invalid tile number %d\n", p_j2k->m_current_tile_number);
+ return OPJ_FALSE;
+ }
+
l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];
l_tile_x = p_j2k->m_current_tile_number % l_cp->tw;
l_tile_y = p_j2k->m_current_tile_number / l_cp->tw;
if (l_num_parts != 0) { /* Number of tile-part header is provided by this tile-part header */
/* Useful to manage the case of textGBR.jp2 file because two values of TNSot are allowed: the correct numbers of
* tile-parts for that tile and zero (A.4.2 of 15444-1 : 2002). */
- if (l_tcp->m_nb_tile_parts) {
- if (l_current_part >= l_tcp->m_nb_tile_parts){
- opj_event_msg(p_manager, EVT_ERROR, "In SOT marker, TPSot (%d) is not valid regards to the current "
- "number of tile-part (%d), giving up\n", l_current_part, l_tcp->m_nb_tile_parts );
- p_j2k->m_specific_param.m_decoder.m_last_tile_part = 1;
- return OPJ_FALSE;
- }
+ if (l_num_parts < l_tcp->m_nb_tile_parts) {
+ l_num_parts = l_tcp->m_nb_tile_parts;
+ }
+ if (l_current_part >= l_num_parts) {
+ /* testcase 451.pdf.SIGSEGV.ce9.3723 */
+ l_num_parts = l_current_part + 1;
}
l_tcp->m_nb_tile_parts = l_num_parts;
}
/* If know the number of tile part header we will check if we didn't read the last*/
if (l_tcp->m_nb_tile_parts) {
- if (l_tcp->m_nb_tile_parts == (l_current_part + 1)) {
+ if (l_tcp->m_nb_tile_parts == l_current_part) {
p_j2k->m_specific_param.m_decoder.m_can_decode = 1; /* Process the last tile-part header*/
}
}
if ( l_current_part >= p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps ){
opj_tp_index_t *new_tp_index;
- p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps += 10;
+ p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps = l_current_part + 1;
new_tp_index = (opj_tp_index_t *) opj_realloc(
p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index,
p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_nb_tps * sizeof(opj_tp_index_t));
if (parameters->csty & J2K_CCP_CSTY_PRT) {
OPJ_INT32 p = 0, it_res;
+ assert( tccp->numresolutions > 0 );
for (it_res = tccp->numresolutions - 1; it_res >= 0; it_res--) {
if (p < parameters->res_spec) {
/* Read 2 bytes from the buffer as the marker size */
opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2);
+ /* cf. https://code.google.com/p/openjpeg/issues/detail?id=226 */
+ if (l_current_marker == 0x8080 && opj_stream_get_number_byte_left(p_stream) == 0) {
+ p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_NEOC;
+ break;
+ }
+
/* Why this condition? FIXME */
if (p_j2k->m_specific_param.m_decoder.m_state & J2K_STATE_TPH){
p_j2k->m_specific_param.m_decoder.m_sot_length -= (l_marker_size + 2);
if( (l_offset_x0_src < 0 ) || (l_offset_y0_src < 0 ) || (l_offset_x1_src < 0 ) || (l_offset_y1_src < 0 ) ){
return OPJ_FALSE;
}
+ /* testcase 2977.pdf.asan.67.2198 */
+ if ((OPJ_INT32)l_width_dest < 0 || (OPJ_INT32)l_height_dest < 0) {
+ return OPJ_FALSE;
+ }
/*-----*/
/* Compute the input buffer offset */