[trunk]fixes buffer overflow in t2.c

author Antonin Descampe <antonin@gmail.com>

Fri, 3 Oct 2014 10:15:28 +0000 (10:15 +0000)

committer Antonin Descampe <antonin@gmail.com>

Fri, 3 Oct 2014 10:15:28 +0000 (10:15 +0000)
author Antonin Descampe <antonin@gmail.com>
Fri, 3 Oct 2014 10:15:28 +0000 (10:15 +0000)
committer Antonin Descampe <antonin@gmail.com>
Fri, 3 Oct 2014 10:15:28 +0000 (10:15 +0000)
diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c

index f2a7c9a57cbd659b127a3bc75bcc409327436619..cdd35e8c222e97ca0eec5646b8404417d276d55b 100644 (file)
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -1132,7 +1132,7 @@ OPJ_BOOL opj_t2_read_packet_data(   opj_t2_t* p_t2,
  
                          do {
                                  /* Check possible overflow (on l_current_data only, assumes input args already checked) then size */
-                                if (((OPJ_SIZE_T)(l_current_data + l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) {
+                                if ((((OPJ_SIZE_T)l_current_data + (OPJ_SIZE_T)l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) {
                                          fprintf(stderr, "read: segment too long (%d) with max (%d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n",
                                                  l_seg->newlen, p_max_length, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno);
                                          return OPJ_FALSE;
author	Antonin Descampe <antonin@gmail.com>
	Fri, 3 Oct 2014 10:15:28 +0000 (10:15 +0000)
committer	Antonin Descampe <antonin@gmail.com>
	Fri, 3 Oct 2014 10:15:28 +0000 (10:15 +0000)