Fix undefined size jp2 box handling

Update #653

src/lib/openjp2/jp2.c

@@ -482,12 +482,16 @@ static OPJ_BOOL opj_jp2_read_boxhdr(opj_jp2_box_t *box,
 	opj_read_bytes(l_data_header+4,&(box->type), 4);
     
   if(box->length == 0)/* last box */
-    {
+  {
     const OPJ_OFF_T bleft = opj_stream_get_number_byte_left(cio);
-    box->length = (OPJ_UINT32)bleft;
-    assert( (OPJ_OFF_T)box->length == bleft );
-    return OPJ_TRUE;
+    if (bleft > (OPJ_OFF_T)(0xFFFFFFFFU - 8U)) {
+      opj_event_msg(p_manager, EVT_ERROR, "Cannot handle box sizes higher than 2^32\n");
+      return OPJ_FALSE;
     }
+    box->length = (OPJ_UINT32)bleft + 8U;
+    assert( (OPJ_OFF_T)box->length == bleft + 8 );
+    return OPJ_TRUE;
+  }
 
 	/* do we have a "special very large box ?" */
 	/* read then the XLBox */
@@ -2112,7 +2116,7 @@ static OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 		if (box.type == JP2_JP2C) {
 			if (jp2->jp2_state & JP2_STATE_HEADER) {
 				jp2->jp2_state |= JP2_STATE_CODESTREAM;
-                                opj_free(l_current_data);
+				opj_free(l_current_data);
 				return OPJ_TRUE;
 			}
 			else {
@@ -2127,7 +2131,7 @@ static OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 			return OPJ_FALSE;
 		}
 		/* testcase 1851.pdf.SIGSEGV.ce9.948 */
-        else if (box.length < l_nb_bytes_read) {
+		else if (box.length < l_nb_bytes_read) {
 			opj_event_msg(p_manager, EVT_ERROR, "invalid box size %d (%x)\n", box.length, box.type);
 			opj_free(l_current_data);
 			return OPJ_FALSE;
@@ -2184,16 +2188,16 @@ static OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 			}
 		}
 		else {
-            if (!(jp2->jp2_state & JP2_STATE_SIGNATURE)) {
-                opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: first box must be JPEG 2000 signature box\n");
-                opj_free(l_current_data);
-                return OPJ_FALSE;
-            }
-            if (!(jp2->jp2_state & JP2_STATE_FILE_TYPE)) {
-                opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: second box must be file type box\n");
-                opj_free(l_current_data);
-                return OPJ_FALSE;
-            }
+			if (!(jp2->jp2_state & JP2_STATE_SIGNATURE)) {
+				opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: first box must be JPEG 2000 signature box\n");
+				opj_free(l_current_data);
+				return OPJ_FALSE;
+			}
+			if (!(jp2->jp2_state & JP2_STATE_FILE_TYPE)) {
+				opj_event_msg(p_manager, EVT_ERROR, "Malformed JP2 file format: second box must be file type box\n");
+				opj_free(l_current_data);
+				return OPJ_FALSE;
+			}
 			jp2->jp2_state |= JP2_STATE_UNKNOWN;
 			if (opj_stream_skip(stream,l_current_data_size,p_manager) != l_current_data_size) {
 				opj_event_msg(p_manager, EVT_ERROR, "Problem with skipping JPEG2000 box, stream error\n");

tests/nonregression/md5refs.txt

@@ -269,3 +269,4 @@ e163102afcc857cf001337178241f518  issue559-eci-090-CIELab.jp2_2.pgx
 b004b2e08b0dfb217c131b353cf157eb  issue559-eci-091-CIELab.jp2_0.pgx
 2400da6b8ed6b1747b9913af544580f9  issue559-eci-091-CIELab.jp2_1.pgx
 cf73dda887967928dbcf5cc87ab204cc  issue559-eci-091-CIELab.jp2_2.pgx
+3bf91c974abc17e520c6a5efa883a58a  issue653-zero-unknownbox.jp2.png

tests/nonregression/test_suite.ctest.in

@@ -505,3 +505,6 @@ opj_decompress -i @INPUT_NR_PATH@/issue236-ESYCC-CDEF.jp2 -o @TEMP_PATH@/issue23
 # issue 326 + PR 559: CIELab colorspace
 opj_decompress -i @INPUT_NR_PATH@/issue559-eci-090-CIELab.jp2 -o @TEMP_PATH@/issue559-eci-090-CIELab.jp2.pgx
 opj_decompress -i @INPUT_NR_PATH@/issue559-eci-091-CIELab.jp2 -o @TEMP_PATH@/issue559-eci-091-CIELab.jp2.pgx
+
+# issue 653 Last box of undefined size byg
+opj_decompress -i @INPUT_NR_PATH@/issue653-zero-unknownbox.jp2 -o @TEMP_PATH@/issue653-zero-unknownbox.jp2.png -p 8S