prevent heap overflow in opj_t2_read_packet_header
Also prevent a double-free of segment data under OOM conditions.
Problem found in a test file, 1802.pdf.SIGSEGV.36e.894 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Update issue 225
do {
l_cblk->segs[l_segno].numnewpasses = opj_int_min(l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses, n);
l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses));
+ /* testcase 1802.pdf.SIGSEGV.36e.894 */
+ if (l_cblk->segs[l_segno].newlen > *l_modified_length_ptr) {
+ opj_bio_destroy(l_bio);
+ return OPJ_FALSE;
+ }
n -= l_cblk->segs[l_segno].numnewpasses;
if (n > 0) {
OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen);
if(! new_cblk_data) {
opj_free(l_cblk->data);
+ l_cblk->data = NULL;
l_cblk->data_max_size = 0;
/* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */
return OPJ_FALSE;
projects / openjpeg / commitdiff