1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
diff -rupN openjpeg-1.5.2/libopenjpeg/jp2.c openjpeg-1.5.2-new/libopenjpeg/jp2.c
--- openjpeg-1.5.2/libopenjpeg/jp2.c 2014-03-27 11:58:08.000000000 +0100
+++ openjpeg-1.5.2-new/libopenjpeg/jp2.c 2014-04-03 23:45:10.084005901 +0200
@@ -957,6 +968,13 @@ static opj_bool jp2_read_ftyp(opj_jp2_t
}
jp2->cl = (unsigned int *) opj_malloc(jp2->numcl * sizeof(unsigned int));
+ if (cio_numbytesleft(cio) < ((int)jp2->numcl * 4)) {
+ opj_event_msg(cinfo, EVT_ERROR, "Not enough bytes in FTYP Box "
+ "(expected %d, but only %d left)\n",
+ ((int)jp2->numcl * 4), cio_numbytesleft(cio));
+ return OPJ_FALSE;
+ }
+
for (i = 0; i < (int)jp2->numcl; i++) {
jp2->cl[i] = cio_read(cio, 4); /* CLi */
}
diff -rupN openjpeg-1.5.2/libopenjpeg/opj_malloc.h openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h
--- openjpeg-1.5.2/libopenjpeg/opj_malloc.h 2014-03-27 11:58:08.000000000 +0100
+++ openjpeg-1.5.2-new/libopenjpeg/opj_malloc.h 2014-04-03 23:45:40.743555542 +0200
@@ -48,7 +48,7 @@ Allocate an uninitialized memory block
#ifdef ALLOC_PERF_OPT
void * OPJ_CALLCONV opj_malloc(size_t size);
#else
-#define opj_malloc(size) malloc(size)
+#define opj_malloc(size) calloc(1, size)
#endif
/**
diff -rupN openjpeg-1.5.2/libopenjpeg/t2.c openjpeg-1.5.2-new/libopenjpeg/t2.c
--- openjpeg-1.5.2/libopenjpeg/t2.c 2014-03-27 11:58:08.000000000 +0100
+++ openjpeg-1.5.2-new/libopenjpeg/t2.c 2014-04-03 23:46:52.870848475 +0200
@@ -341,6 +341,11 @@ static int t2_decode_packet(opj_t2_t* t2
int precno = pi->precno; /* precinct value */
int layno = pi->layno; /* quality layer value */
+ if (!&(tile->comps[compno])) {
+ opj_event_msg(t2->cinfo, EVT_ERROR, "Trying to decode tile with no components!\n");
+ return -999;
+ }
+
unsigned char *hd = NULL;
int present;
diff -rupN openjpeg-1.5.2/libopenjpeg/tcd.c openjpeg-1.5.2-new/libopenjpeg/tcd.c
--- openjpeg-1.5.2/libopenjpeg/tcd.c 2014-04-03 23:31:42.490473672 +0200
+++ openjpeg-1.5.2-new/libopenjpeg/tcd.c 2014-04-03 23:47:57.835012876 +0200
@@ -672,8 +672,8 @@ void tcd_malloc_decode(opj_tcd_t *tcd, o
y1 = j == 0 ? tilec->y1 : int_max(y1, (unsigned int) tilec->y1);
}
- w = int_ceildivpow2(x1 - x0, image->comps[i].factor);
- h = int_ceildivpow2(y1 - y0, image->comps[i].factor);
+ w = int_ceildivpow2((long)(x1) - (long)(x0), image->comps[i].factor);
+ h = int_ceildivpow2((long)(y1) - (long)(y0), image->comps[i].factor);
image->comps[i].w = w;
image->comps[i].h = h;
@@ -1391,6 +1391,12 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd,
return OPJ_FALSE;
}
+ /* The code below assumes that numcomps > 0 */
+ if (tile->numcomps <= 0) {
+ opj_event_msg(tcd->cinfo, EVT_ERROR, "tcd_decode: tile has a zero or negative numcomps\n");
+ return OPJ_TRUE;
+ }
+
/*------------------TIER1-----------------*/
t1_time = opj_clock(); /* time needed to decode a tile */
|