[trunk] Fix Heap-based buffer-overflow when decoding openjpeg image

Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for report
This does not affect release 1.5.0 and/or 1.5 release branch.

Fixes issue 170

diff --git a/libopenjpeg/t2.c b/libopenjpeg/t2.c
index 573c26777962d814cc2452f45370490f87e83f78..207287d4845ce3e1a9f84f4f760dbedd831713a3 100644 (file)
--- a/libopenjpeg/t2.c
+++ b/libopenjpeg/t2.c
@@ -1826,6 +1826,10 @@ static opj_bool t2_read_packet_data(
 
 #endif /* USE_JPWL */
 
+                                if ((l_cblk->len + l_seg->newlen) > 8192) {
+                                        return OPJ_FALSE;
+                                }
+                               
                                 memcpy(l_cblk->data + l_cblk->len, l_current_data, l_seg->newlen);
 
                                 if (l_seg->numpasses == 0) {