1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
diff -up openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/j2k.c
--- openjpeg-1.5.1/libopenjpeg/j2k.c.CVE-2013-6045 2014-01-07 15:11:30.622278207 -0600
+++ openjpeg-1.5.1/libopenjpeg/j2k.c 2014-01-07 15:11:30.626278165 -0600
@@ -1076,6 +1076,17 @@ static void j2k_read_poc(opj_j2k_t *j2k)
tcp->POC = 1;
len = cio_read(cio, 2); /* Lpoc */
numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2));
+
+ {
+ /* old_poc < 0 "just in case" */
+ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0]));
+ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n",
+ (numpchgs + old_poc), maxpocs);
+ return;
+ }
+ }
for (i = old_poc; i < numpchgs + old_poc; i++) {
opj_poc_t *poc;
@@ -1622,6 +1633,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k)
return;
}
+ /* totlen is negative or larger than the bytes left!!! */
+ if (compno >= numcomps) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "JPWL: bad component number in RGN (%d when there are only %d)\n",
+ compno, numcomps);
+ return;
+ }
+
tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */
}
diff -up openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 openjpeg-1.5.1/libopenjpeg/tcd.c
--- openjpeg-1.5.1/libopenjpeg/tcd.c.CVE-2013-6045 2012-09-13 02:58:39.000000000 -0500
+++ openjpeg-1.5.1/libopenjpeg/tcd.c 2014-01-07 15:11:30.626278165 -0600
@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
return OPJ_FALSE;
}
+ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0);
for (compno = 0; compno < tile->numcomps; ++compno) {
opj_tcd_tilecomp_t* tilec = &tile->comps[compno];
+ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0));
+ /* Later-on it is assumed that all components are of at least comp0size blocks */
+ if (compcsize < comp0size)
+ {
+ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks "
+ "while component 0 has %d blocks\n", compno, compcsize, comp0size);
+ return OPJ_FALSE;
+ }
/* The +3 is headroom required by the vectorized DWT */
- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int));
+ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int));
if (tilec->data == NULL)
{
opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
|
