[trunk] Fix overflow in opj_image_comp_header_update (fixes issue 495)

diff --git a/src/lib/openjp2/image.c b/src/lib/openjp2/image.c
index 8e68668e42758a97d7e61d18017f26115a342835..3646e9980cffae1b6688afac8af864e1127386e2 100644 (file)
--- a/src/lib/openjp2/image.c
+++ b/src/lib/openjp2/image.c
@@ -107,27 +107,29 @@ void OPJ_CALLCONV opj_image_destroy(opj_image_t *image) {
 void opj_image_comp_header_update(opj_image_t * p_image_header, const struct opj_cp * p_cp)
 {
        OPJ_UINT32 i, l_width, l_height;
-       OPJ_INT32 l_x0, l_y0, l_x1, l_y1;
-       OPJ_INT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1;
+       OPJ_UINT32 l_x0, l_y0, l_x1, l_y1;
+       OPJ_UINT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1;
        opj_image_comp_t* l_img_comp = NULL;
 
-       l_x0 = opj_int_max((OPJ_INT32)p_cp->tx0 , (OPJ_INT32)p_image_header->x0);
-       l_y0 = opj_int_max((OPJ_INT32)p_cp->ty0 , (OPJ_INT32)p_image_header->y0);
-       l_x1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + p_cp->tw * p_cp->tdx), (OPJ_INT32)p_image_header->x1);
-       l_y1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + p_cp->th * p_cp->tdy), (OPJ_INT32)p_image_header->y1);
+       l_x0 = opj_uint_max(p_cp->tx0 , p_image_header->x0);
+       l_y0 = opj_uint_max(p_cp->ty0 , p_image_header->y0);
+       l_x1 = p_cp->tx0 + (p_cp->tw - 1U) * p_cp->tdx; /* validity of p_cp members used here checked in opj_j2k_read_siz. Can't overflow. */
+       l_y1 = p_cp->ty0 + (p_cp->th - 1U) * p_cp->tdy; /* can't overflow */
+       l_x1 = opj_uint_min(opj_uint_adds(l_x1, p_cp->tdx), p_image_header->x1); /* use add saturated to prevent overflow */
+       l_y1 = opj_uint_min(opj_uint_adds(l_y1, p_cp->tdy), p_image_header->y1); /* use add saturated to prevent overflow */
 
        l_img_comp = p_image_header->comps;
        for     (i = 0; i < p_image_header->numcomps; ++i) {
-               l_comp_x0 = opj_int_ceildiv(l_x0, (OPJ_INT32)l_img_comp->dx);
-               l_comp_y0 = opj_int_ceildiv(l_y0, (OPJ_INT32)l_img_comp->dy);
-               l_comp_x1 = opj_int_ceildiv(l_x1, (OPJ_INT32)l_img_comp->dx);
-               l_comp_y1 = opj_int_ceildiv(l_y1, (OPJ_INT32)l_img_comp->dy);
-               l_width = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_x1 - l_comp_x0, (OPJ_INT32)l_img_comp->factor);
-               l_height = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_y1 - l_comp_y0, (OPJ_INT32)l_img_comp->factor);
+               l_comp_x0 = opj_uint_ceildiv(l_x0, l_img_comp->dx);
+               l_comp_y0 = opj_uint_ceildiv(l_y0, l_img_comp->dy);
+               l_comp_x1 = opj_uint_ceildiv(l_x1, l_img_comp->dx);
+               l_comp_y1 = opj_uint_ceildiv(l_y1, l_img_comp->dy);
+               l_width   = opj_uint_ceildivpow2(l_comp_x1 - l_comp_x0, l_img_comp->factor);
+               l_height  = opj_uint_ceildivpow2(l_comp_y1 - l_comp_y0, l_img_comp->factor);
                l_img_comp->w = l_width;
                l_img_comp->h = l_height;
-               l_img_comp->x0 = (OPJ_UINT32)l_comp_x0/*l_x0*/;
-               l_img_comp->y0 = (OPJ_UINT32)l_comp_y0/*l_y0*/;
+               l_img_comp->x0 = l_comp_x0;
+               l_img_comp->y0 = l_comp_y0;
                ++l_img_comp;
        }
 }

diff --git a/src/lib/openjp2/opj_intmath.h b/src/lib/openjp2/opj_intmath.h
index 4e299469dee73420b473bc56d5523c62dbe6fbf3..8fa89c031b373da3bbe99119fcf6c04eb994520e 100644 (file)
--- a/src/lib/openjp2/opj_intmath.h
+++ b/src/lib/openjp2/opj_intmath.h
@@ -137,6 +137,15 @@ Divide an integer by a power of 2 and round upwards
 static INLINE OPJ_INT32 opj_int_ceildivpow2(OPJ_INT32 a, OPJ_INT32 b) {
        return (OPJ_INT32)((a + (OPJ_INT64)(1 << b) - 1) >> b);
 }
+
+/**
+ Divide an integer by a power of 2 and round upwards
+ @return Returns a divided by 2^b
+ */
+static INLINE OPJ_UINT32 opj_uint_ceildivpow2(OPJ_UINT32 a, OPJ_UINT32 b) {
+       return (OPJ_UINT32)((a + (OPJ_UINT64)(1U << b) - 1U) >> b);
+}
+
 /**
 Divide an integer by a power of 2 and round downwards
 @return Returns a divided by 2^b

diff --git a/tests/nonregression/md5refs.txt b/tests/nonregression/md5refs.txt
index eb04c0ba377a75468d04702f99e34d0efc665712..caeab6d6aee24e55d048cd30e6bf4bd66c4fb0a2 100644 (file)
--- a/tests/nonregression/md5refs.txt
+++ b/tests/nonregression/md5refs.txt
@@ -179,3 +179,6 @@ ec8d1c99db9763a8ba489df4f41dda53  issue411-ycc420.jp2_2.pgx
 f004b48eafb2e52529cc9c7b6a3ff5d2  issue458.jp2_1.pgx
 3127bd0a591d113c3c2428c8d2c14ec8  issue458.jp2_2.pgx
 dacaf60e4c430916a8c2a9ebec32e71c  issue458.jp2_3.pgx
+d33fb5dbddb9b9b4438eb51fa27445a3  issue495.jp2_0.pgx
+27db8c35e12a5d5eb94d403d2aae2909  issue495.jp2_1.pgx
+97da625d2f2d0b75bf891d8083ce8bfb  issue495.jp2_2.pgx

diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index a894342484d4c83fddd513642537f2dfaaa83b6c..eaaa2e0446d8a50f0a667524c3e5c925e19f45d4 100644 (file)
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -264,6 +264,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue458.jp2 -o @TEMP_PATH@/issue458.jp2.pgx
 !opj_decompress -i @INPUT_NR_PATH@/issue476.jp2 -o @TEMP_PATH@/issue476.jp2.pgx
 # issue 475 Invalid number of layers
 !opj_decompress -i @INPUT_NR_PATH@/issue475.jp2 -o @TEMP_PATH@/issue475.jp2.pgx
+# issue 495 Overflow op_image_comp_header_updat
+opj_decompress -i @INPUT_NR_PATH@/issue495.jp2 -o @TEMP_PATH@/issue495.jp2.pgx
 
 
 # decode with specific area