opj_j2k_read_sot(): check current TPSot number regarding previous (non-zero) TNsot...

[openjpeg.git] / src / lib / openjp2 / t2.c

diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
index 9b28a3e038cd716001c80638e7ae3b2ac3c908f3..93b77ef0a3bd09aa717ff9fc4860cdbf7bee7d77 100644 (file)
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -38,6 +38,8 @@
  */
 
 #include "opj_includes.h"
+#include "opj_common.h"
+
 
 /** @defgroup T2 T2 - Implementation of a tier-2 coding */
 /*@{*/
@@ -87,6 +89,7 @@ Decode a packet of a tile from a source buffer
 @param data_read   FIXME DOC
 @param max_length  FIXME DOC
 @param pack_info Packet information
+@param p_manager the user event manager
 
 @return  FIXME DOC
 */
@@ -1125,10 +1128,19 @@ static OPJ_BOOL opj_t2_read_packet_header(opj_t2_t* p_t2,
             n = (OPJ_INT32)l_cblk->numnewpasses;
 
             do {
+                OPJ_UINT32 bit_number;
                 l_cblk->segs[l_segno].numnewpasses = (OPJ_UINT32)opj_int_min((OPJ_INT32)(
                         l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses), n);
-                l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio,
-                                               l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses));
+                bit_number = l_cblk->numlenbits + opj_uint_floorlog2(
+                                 l_cblk->segs[l_segno].numnewpasses);
+                if (bit_number > 32) {
+                    opj_event_msg(p_manager, EVT_ERROR,
+                                  "Invalid bit number %d in opj_t2_read_packet_header()\n",
+                                  bit_number);
+                    opj_bio_destroy(l_bio);
+                    return OPJ_FALSE;
+                }
+                l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, bit_number);
                 JAS_FPRINTF(stderr, "included=%d numnewpasses=%d increment=%d len=%d \n",
                             l_included, l_cblk->segs[l_segno].numnewpasses, l_increment,
                             l_cblk->segs[l_segno].newlen);
@@ -1276,7 +1288,8 @@ static OPJ_BOOL opj_t2_read_packet_data(opj_t2_t* p_t2,
 
 #endif /* USE_JPWL */
                 /* Check possible overflow on size */
-                if ((l_cblk->data_current_size + l_seg->newlen) < l_cblk->data_current_size) {
+                if ((l_cblk->data_current_size + l_seg->newlen + OPJ_COMMON_CBLK_DATA_EXTRA) <
+                        l_cblk->data_current_size) {
                     opj_event_msg(p_manager, EVT_ERROR,
                                   "read: segment too long (%d) with current size (%d > %d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n",
                                   l_seg->newlen, l_cblk->data_current_size, 0xFFFFFFFF - l_seg->newlen, cblkno,
@@ -1284,9 +1297,10 @@ static OPJ_BOOL opj_t2_read_packet_data(opj_t2_t* p_t2,
                     return OPJ_FALSE;
                 }
                 /* Check if the cblk->data have allocated enough memory */
-                if ((l_cblk->data_current_size + l_seg->newlen) > l_cblk->data_max_size) {
+                if ((l_cblk->data_current_size + l_seg->newlen + OPJ_COMMON_CBLK_DATA_EXTRA) >
+                        l_cblk->data_max_size) {
                     OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data,
-                                              l_cblk->data_current_size + l_seg->newlen);
+                                              l_cblk->data_current_size + l_seg->newlen + OPJ_COMMON_CBLK_DATA_EXTRA);
                     if (! new_cblk_data) {
                         opj_free(l_cblk->data);
                         l_cblk->data = NULL;
@@ -1294,7 +1308,8 @@ static OPJ_BOOL opj_t2_read_packet_data(opj_t2_t* p_t2,
                         /* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */
                         return OPJ_FALSE;
                     }
-                    l_cblk->data_max_size = l_cblk->data_current_size + l_seg->newlen;
+                    l_cblk->data_max_size = l_cblk->data_current_size + l_seg->newlen +
+                                            OPJ_COMMON_CBLK_DATA_EXTRA;
                     l_cblk->data = new_cblk_data;
                 }