Fix undefined size jp2 box handling

Update #653

diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index fea34771b8438d32db7636a20dfaf4bb362c6b58..6c6f6e83504ece80ac4a4bdd2ca74e0e4fa828bb 100644 (file)
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -482,12 +482,16 @@ static OPJ_BOOL opj_jp2_read_boxhdr(opj_jp2_box_t *box,
        opj_read_bytes(l_data_header+4,&(box->type), 4);
     
   if(box->length == 0)/* last box */
-    {
+  {
     const OPJ_OFF_T bleft = opj_stream_get_number_byte_left(cio);
-    box->length = (OPJ_UINT32)bleft;
-    assert( (OPJ_OFF_T)box->length == bleft );
-    return OPJ_TRUE;
+    if (bleft > (OPJ_OFF_T)(0xFFFFFFFFU - 8U)) {
+      opj_event_msg(p_manager, EVT_ERROR, "Cannot handle box sizes higher than 2^32\n");
+      return OPJ_FALSE;
     }
+    box->length = (OPJ_UINT32)bleft + 8U;
+    assert( (OPJ_OFF_T)box->length == bleft + 8 );
+    return OPJ_TRUE;
+  }
 
        /* do we have a "special very large box ?" */
        /* read then the XLBox */
@@ -2112,7 +2116,7 @@ static OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
                if (box.type == JP2_JP2C) {
                        if (jp2->jp2_state & JP2_STATE_HEADER) {
                                jp2->jp2_state |= JP2_STATE_CODESTREAM;
-                                opj_free(l_current_data);
+                               opj_free(l_current_data);
                                return OPJ_TRUE;
                        }
                        else {
@@ -2127,7 +2131,7 @@ static OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
                        return OPJ_FALSE;
                }
                /* testcase 1851.pdf.SIGSEGV.ce9.948 */
-        else if (box.length < l_nb_bytes_read) {
+               else if (box.length < l_nb_bytes_read) {
                        opj_event_msg(p_manager, EVT_ERROR, "invalid box size %d (%x)\n", box.length, box.type);
                        opj_free(l_current_data);
                        return OPJ_FALSE;
@@ -2184,16 +2188,16 @@ static OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
                        }
                }
                else {
-            if (!(jp2->jp2_state & JP2_STATE_SIGNATURE)) {
-                opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: first box must be JPEG 2000 signature box\n");
-                opj_free(l_current_data);
-                return OPJ_FALSE;
-            }
-            if (!(jp2->jp2_state & JP2_STATE_FILE_TYPE)) {
-                opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: second box must be file type box\n");
-                opj_free(l_current_data);
-                return OPJ_FALSE;
-            }
+                       if (!(jp2->jp2_state & JP2_STATE_SIGNATURE)) {
+                               opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: first box must be JPEG 2000 signature box\n");
+                               opj_free(l_current_data);
+                               return OPJ_FALSE;
+                       }
+                       if (!(jp2->jp2_state & JP2_STATE_FILE_TYPE)) {
+                               opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: second box must be file type box\n");
+                               opj_free(l_current_data);
+                               return OPJ_FALSE;
+                       }
                        jp2->jp2_state |= JP2_STATE_UNKNOWN;
                        if (opj_stream_skip(stream,l_current_data_size,p_manager) != l_current_data_size) {
                                opj_event_msg(p_manager, EVT_ERROR, "Problem with skipping JPEG2000 box, stream error\n");

diff --git a/tests/nonregression/md5refs.txt b/tests/nonregression/md5refs.txt
index 82f4cba31733930ebcb0a33f3ee8828e1a1576a6..499441c036161096af1a0f62bfa83104cc434438 100644 (file)
--- a/tests/nonregression/md5refs.txt
+++ b/tests/nonregression/md5refs.txt
@@ -269,3 +269,4 @@ e163102afcc857cf001337178241f518  issue559-eci-090-CIELab.jp2_2.pgx
 b004b2e08b0dfb217c131b353cf157eb  issue559-eci-091-CIELab.jp2_0.pgx
 2400da6b8ed6b1747b9913af544580f9  issue559-eci-091-CIELab.jp2_1.pgx
 cf73dda887967928dbcf5cc87ab204cc  issue559-eci-091-CIELab.jp2_2.pgx
+3bf91c974abc17e520c6a5efa883a58a  issue653-zero-unknownbox.jp2.png

diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index 25201c8fa174d4b9b2a2c794f420730f489ca8df..c316a5eae1b500e755a05ec50ea9ffba263ab199 100644 (file)
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -505,3 +505,6 @@ opj_decompress -i @INPUT_NR_PATH@/issue236-ESYCC-CDEF.jp2 -o @TEMP_PATH@/issue23
 # issue 326 + PR 559: CIELab colorspace
 opj_decompress -i @INPUT_NR_PATH@/issue559-eci-090-CIELab.jp2 -o @TEMP_PATH@/issue559-eci-090-CIELab.jp2.pgx
 opj_decompress -i @INPUT_NR_PATH@/issue559-eci-091-CIELab.jp2 -o @TEMP_PATH@/issue559-eci-091-CIELab.jp2.pgx
+
+# issue 653 Last box of undefined size byg
+opj_decompress -i @INPUT_NR_PATH@/issue653-zero-unknownbox.jp2 -o @TEMP_PATH@/issue653-zero-unknownbox.jp2.png -p 8S