1 |
diff -rupN openjpeg-1.5.1/libopenjpeg/j2k.c openjpeg-1.5.1-new/libopenjpeg/j2k.c |
2 |
--- openjpeg-1.5.1/libopenjpeg/j2k.c 2013-12-05 10:26:15.000000000 +0100 |
3 |
+++ openjpeg-1.5.1-new/libopenjpeg/j2k.c 2013-12-05 10:32:34.752636957 +0100 |
4 |
@@ -823,6 +823,12 @@ static void j2k_read_coc(opj_j2k_t *j2k) |
5 |
|
6 |
len = cio_read(cio, 2); /* Lcoc */ |
7 |
compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ |
8 |
+ if ((compno < 0) || (compno >= image->numcomps)) { |
9 |
+ opj_event_msg(j2k->cinfo, EVT_ERROR , |
10 |
+ "bad component number in COC (%d out of a maximum of %d)\n", |
11 |
+ compno, image->numcomps); |
12 |
+ return; |
13 |
+ } |
14 |
tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ |
15 |
j2k_read_cox(j2k, compno); |
16 |
} |
17 |
@@ -1004,8 +1010,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k) |
18 |
|
19 |
/* keep your private count of tiles */ |
20 |
backup_compno++; |
21 |
- }; |
22 |
+ } |
23 |
+ else |
24 |
#endif /* USE_JPWL */ |
25 |
+ { |
26 |
+ /* compno is negative or larger than the number of components!!! */ |
27 |
+ if ((compno < 0) || (compno >= numcomp)) { |
28 |
+ opj_event_msg(j2k->cinfo, EVT_ERROR, |
29 |
+ "JPWL: bad component number in QCC (%d out of a maximum of %d)\n", |
30 |
+ compno, numcomp); |
31 |
+ return; |
32 |
+ } |
33 |
+ } |
34 |
|
35 |
j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); |
36 |
} |
37 |
@@ -1051,6 +1067,17 @@ static void j2k_read_poc(opj_j2k_t *j2k) |
38 |
tcp->POC = 1; |
39 |
len = cio_read(cio, 2); /* Lpoc */ |
40 |
numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); |
41 |
+ |
42 |
+ { |
43 |
+ /* old_poc < 0 "just in case" */ |
44 |
+ int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0])); |
45 |
+ if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) { |
46 |
+ opj_event_msg(j2k->cinfo, EVT_ERROR, |
47 |
+ "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n", |
48 |
+ (numpchgs + old_poc), maxpocs); |
49 |
+ return; |
50 |
+ } |
51 |
+ } |
52 |
|
53 |
for (i = old_poc; i < numpchgs + old_poc; i++) { |
54 |
opj_poc_t *poc; |
55 |
@@ -1590,6 +1617,14 @@ static void j2k_read_rgn(opj_j2k_t *j2k) |
56 |
}; |
57 |
#endif /* USE_JPWL */ |
58 |
|
59 |
+ /* totlen is negative or larger than the bytes left!!! */ |
60 |
+ if (compno >= numcomps) { |
61 |
+ opj_event_msg(j2k->cinfo, EVT_ERROR, |
62 |
+ "JPWL: bad component number in RGN (%d when there are only %d)\n", |
63 |
+ compno, numcomps); |
64 |
+ return; |
65 |
+ } |
66 |
+ |
67 |
tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ |
68 |
} |
69 |
|
70 |
diff -rupN openjpeg-1.5.1/libopenjpeg/tcd.c openjpeg-1.5.1-new/libopenjpeg/tcd.c |
71 |
--- openjpeg-1.5.1/libopenjpeg/tcd.c 2012-09-13 09:58:39.000000000 +0200 |
72 |
+++ openjpeg-1.5.1-new/libopenjpeg/tcd.c 2013-12-05 10:32:21.721452575 +0100 |
73 |
@@ -1394,10 +1394,19 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, |
74 |
return OPJ_FALSE; |
75 |
} |
76 |
|
77 |
+ int comp0size = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); |
78 |
for (compno = 0; compno < tile->numcomps; ++compno) { |
79 |
opj_tcd_tilecomp_t* tilec = &tile->comps[compno]; |
80 |
+ int compcsize = ((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0)); |
81 |
+ /* Later-on it is assumed that all components are of at least comp0size blocks */ |
82 |
+ if (compcsize < comp0size) |
83 |
+ { |
84 |
+ opj_event_msg(tcd->cinfo, EVT_ERROR, "Error decoding tile. Component %d contains only %d blocks " |
85 |
+ "while component 0 has %d blocks\n", compno, compcsize, comp0size); |
86 |
+ return OPJ_FALSE; |
87 |
+ } |
88 |
/* The +3 is headroom required by the vectorized DWT */ |
89 |
- tilec->data = (int*) opj_aligned_malloc((((tilec->x1 - tilec->x0) * (tilec->y1 - tilec->y0))+3) * sizeof(int)); |
90 |
+ tilec->data = (int*) opj_aligned_malloc((comp0size+3) * sizeof(int)); |
91 |
if (tilec->data == NULL) |
92 |
{ |
93 |
opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); |