From 58fc86452dbe0ebfd62077c0d8ec3db688417d3a Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Thu, 18 Dec 2014 22:56:38 +0000 Subject: [PATCH] [trunk] Fixed a crash on illegal tile offset when decoding Update issue 427 --- src/lib/openjp2/j2k.c | 16 +++++++++++++++- tests/nonregression/CMakeLists.txt | 1 + tests/nonregression/test_suite.ctest.in | 2 ++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 656bf6de..cf4114d7 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -1919,7 +1919,7 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k, OPJ_UINT32 l_nb_comp_remain; OPJ_UINT32 l_remaining_size; OPJ_UINT32 l_nb_tiles; - OPJ_UINT32 l_tmp; + OPJ_UINT32 l_tmp, l_tx1, l_ty1; opj_image_t *l_image = 00; opj_cp_t *l_cp = 00; opj_image_comp_t * l_img_comp = 00; @@ -1998,6 +1998,20 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k, return OPJ_FALSE; } + /* testcase issue427-illegal-tile-offset.jp2 */ + l_tx1 = l_cp->tx0 + l_cp->tdx; + if (l_tx1 < l_cp->tx0) { /* manage overflow */ + l_tx1 = 0xFFFFFFFFU; + } + l_ty1 = l_cp->ty0 + l_cp->tdy; + if (l_ty1 < l_cp->ty0) { /* manage overflow */ + l_ty1 = 0xFFFFFFFFU; + } + if ((l_cp->tx0 > l_image->x0) || (l_cp->ty0 > l_image->y0) || (l_tx1 <= l_image->x0) || (l_ty1 <= l_image->y0) ) { + opj_event_msg(p_manager, EVT_ERROR, "Error with SIZ marker: illegal tile offset\n"); + return OPJ_FALSE; + } + #ifdef USE_JPWL if (l_cp->correct) { /* if JPWL is on, we check whether TX errors have damaged diff --git a/tests/nonregression/CMakeLists.txt b/tests/nonregression/CMakeLists.txt index be349ec0..927120f4 100644 --- a/tests/nonregression/CMakeLists.txt +++ b/tests/nonregression/CMakeLists.txt @@ -44,6 +44,7 @@ set(BLACKLIST_JPEG2000_TMP edf_c2_1673169.jp2 issue429.jp2 issue427-null-image-size.jp2 + issue427-illegal-tile-offset.jp2 ) # Define a list of file which should be gracefully rejected: diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in index ace54f94..afcf45d3 100644 --- a/tests/nonregression/test_suite.ctest.in +++ b/tests/nonregression/test_suite.ctest.in @@ -231,6 +231,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue411-ycc420.jp2 -o @TEMP_PATH@/issue411-yc !opj_decompress -i @INPUT_NR_PATH@/issue432.jp2 -o @TEMP_PATH@/issue432.jp2.pgx # issue 427 image width is 0 !opj_decompress -i @INPUT_NR_PATH@/issue427-null-image-size.jp2 -o @TEMP_PATH@/issue427-null-image-size.jp2.pgx +# issue 427 illegal tile offset +!opj_decompress -i @INPUT_NR_PATH@/issue427-illegal-tile-offset.jp2 -o @TEMP_PATH@/issue427-illegal-tile-offset.jp2.pgx # decode with specific area # prec=12; nb_c=1