1 |
diff -rupN openjpeg-1.5.1/libopenjpeg/cio.c openjpeg-1.5.1-new/libopenjpeg/cio.c |
2 |
--- openjpeg-1.5.1/libopenjpeg/cio.c 2012-09-13 09:58:39.000000000 +0200 |
3 |
+++ openjpeg-1.5.1-new/libopenjpeg/cio.c 2013-12-05 10:25:07.717415888 +0100 |
4 |
@@ -30,6 +30,7 @@ |
5 |
*/ |
6 |
|
7 |
#include "opj_includes.h" |
8 |
+#include <assert.h> |
9 |
|
10 |
/* ----------------------------------------------------------------------- */ |
11 |
|
12 |
@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns |
13 |
* Read a byte. |
14 |
*/ |
15 |
unsigned char cio_bytein(opj_cio_t *cio) { |
16 |
+ if (cio->bp < cio->start) { |
17 |
+ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); |
18 |
+ abort(); |
19 |
+ return 0; |
20 |
+ } |
21 |
if (cio->bp >= cio->end) { |
22 |
opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end); |
23 |
return 0; |
24 |
@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in |
25 |
unsigned int v; |
26 |
v = 0; |
27 |
for (i = n - 1; i >= 0; i--) { |
28 |
- v += cio_bytein(cio) << (i << 3); |
29 |
+ v += (unsigned int)cio_bytein(cio) << (i << 3); |
30 |
} |
31 |
return v; |
32 |
} |
33 |
@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in |
34 |
* n : number of bytes to skip |
35 |
*/ |
36 |
void cio_skip(opj_cio_t *cio, int n) { |
37 |
+ assert((cio->bp + n) >= cio->bp); |
38 |
cio->bp += n; |
39 |
} |
40 |
|
41 |
diff -rupN openjpeg-1.5.1/libopenjpeg/jp2.c openjpeg-1.5.1-new/libopenjpeg/jp2.c |
42 |
--- openjpeg-1.5.1/libopenjpeg/jp2.c 2012-09-13 09:58:39.000000000 +0200 |
43 |
+++ openjpeg-1.5.1-new/libopenjpeg/jp2.c 2013-12-05 10:25:07.718415907 +0100 |
44 |
@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm |
45 |
} |
46 |
else if (box->length == 0) { |
47 |
box->length = cio_numbytesleft(cio) + 8; |
48 |
+ } else if (box->length < 0) { |
49 |
+ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n"); |
50 |
+ return OPJ_FALSE; |
51 |
} |
52 |
|
53 |
return OPJ_TRUE; |