[trunk] Import commit fc884aee2b69c78500e65c3d05bf216791a9ea4a from ghostpdl
prevent heap overflow in opj_t2_read_packet_header Also prevent a double-free of segment data under OOM conditions. Problem found in a test file, 1802.pdf.SIGSEGV.36e.894 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! Update issue 225
This commit is contained in:
		| @@ -981,6 +981,11 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2, | |||||||
|                         do { |                         do { | ||||||
|                                 l_cblk->segs[l_segno].numnewpasses = opj_int_min(l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses, n); |                                 l_cblk->segs[l_segno].numnewpasses = opj_int_min(l_cblk->segs[l_segno].maxpasses - l_cblk->segs[l_segno].numpasses, n); | ||||||
|                                 l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses)); |                                 l_cblk->segs[l_segno].newlen = opj_bio_read(l_bio, l_cblk->numlenbits + opj_uint_floorlog2(l_cblk->segs[l_segno].numnewpasses)); | ||||||
|  |                                 /* testcase 1802.pdf.SIGSEGV.36e.894 */ | ||||||
|  |                                 if (l_cblk->segs[l_segno].newlen > *l_modified_length_ptr) { | ||||||
|  |                                         opj_bio_destroy(l_bio); | ||||||
|  |                                         return OPJ_FALSE; | ||||||
|  |                                 } | ||||||
|  |  | ||||||
|                                 n -= l_cblk->segs[l_segno].numnewpasses; |                                 n -= l_cblk->segs[l_segno].numnewpasses; | ||||||
|                                 if (n > 0) { |                                 if (n > 0) { | ||||||
| @@ -1116,6 +1121,7 @@ OPJ_BOOL opj_t2_read_packet_data(   opj_t2_t* p_t2, | |||||||
|                                     OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen); |                                     OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen); | ||||||
|                                     if(! new_cblk_data) { |                                     if(! new_cblk_data) { | ||||||
|                                         opj_free(l_cblk->data); |                                         opj_free(l_cblk->data); | ||||||
|  |                                         l_cblk->data = NULL; | ||||||
|                                         l_cblk->data_max_size = 0; |                                         l_cblk->data_max_size = 0; | ||||||
|                                         /* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */ |                                         /* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */ | ||||||
|                                         return OPJ_FALSE; |                                         return OPJ_FALSE; | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Mathieu Malaterre
					Mathieu Malaterre