diff --git a/libopenjpeg/j2k.c b/libopenjpeg/j2k.c index 77acfe0..feec3fa 100644 --- a/libopenjpeg/j2k.c +++ b/libopenjpeg/j2k.c @@ -835,12 +835,12 @@ static void j2k_read_coc(opj_j2k_t *j2k) { len = cio_read(cio, 2); /* Lcoc */ compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */ - if (compno >= image->numcomps) { - opj_event_msg(j2k->cinfo, EVT_ERROR, - "bad component number in COC (%d out of a maximum of %d)\n", - compno, image->numcomps); - return; - } + if ((compno < 0) || (compno >= image->numcomps)) { + opj_event_msg(j2k->cinfo, EVT_ERROR , + "bad component number in COC (%d out of a maximum of %d)\n", + compno, image->numcomps); + return; + } tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */ j2k_read_cox(j2k, compno); } @@ -1023,14 +1023,18 @@ static void j2k_read_qcc(opj_j2k_t *j2k) { /* keep your private count of tiles */ backup_compno++; } + else #endif /* USE_JPWL */ - if ((compno < 0) || (compno >= numcomp)) { - opj_event_msg(j2k->cinfo, EVT_ERROR, - "bad component number in QCC (%d out of a maximum of %d)\n", - compno, j2k->image->numcomps); - return; - } + { + /* compno is negative or larger than the number of components!!! */ + if ((compno < 0) || (compno >= numcomp)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad component number in QCC (%d out of a maximum of %d)\n", + compno, numcomp); + return; + } + } j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2)); } @@ -1076,7 +1080,18 @@ static void j2k_read_poc(opj_j2k_t *j2k) { tcp->POC = 1; len = cio_read(cio, 2); /* Lpoc */ numpchgs = (len - 2) / (5 + 2 * (numcomps <= 256 ? 1 : 2)); - + + { + /* old_poc < 0 "just in case" */ + int maxpocs = (sizeof(tcp->pocs)/sizeof(tcp->pocs[0])); + if ((old_poc < 0) || ((numpchgs + old_poc) >= maxpocs)) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad number of progression order changes (%d out of a maximum of %d)\n", + (numpchgs + old_poc), maxpocs); + return; + } + } + for (i = old_poc; i < numpchgs + old_poc; i++) { opj_poc_t *poc; poc = &tcp->pocs[i]; @@ -1615,12 +1630,13 @@ static void j2k_read_rgn(opj_j2k_t *j2k) { }; #endif /* USE_JPWL */ - if (compno >= numcomps) { - opj_event_msg(j2k->cinfo, EVT_ERROR, - "bad component number in RGN (%d out of a maximum of %d)\n", - compno, j2k->image->numcomps); - return; - } + /* totlen is negative or larger than the bytes left!!! */ + if (compno >= numcomps) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad component number in RGN (%d when there are only %d)\n", + compno, numcomps); + return; + } tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */ } diff --git a/libopenjpeg/tcd.c b/libopenjpeg/tcd.c index ee05205..bb92dfe 100644 --- a/libopenjpeg/tcd.c +++ b/libopenjpeg/tcd.c @@ -1447,6 +1447,14 @@ opj_bool tcd_decode_tile(opj_tcd_t *tcd, unsigned char *src, int len, int tileno int n = (tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0); if (tile->numcomps >= 3 ){ + /* testcase 1336.pdf.asan.47.376 */ + if ((tile->comps[0].x1 - tile->comps[0].x0) * (tile->comps[0].y1 - tile->comps[0].y0) < n || + ( tile->comps[1].x1 - tile->comps[1].x0) * (tile->comps[1].y1 - tile->comps[1].y0) < n || + ( tile->comps[2].x1 - tile->comps[2].x0) * (tile->comps[2].y1 - tile->comps[2].y0) < n) { + opj_event_msg(tcd->cinfo, EVT_ERROR, "Tiles don't all have the same dimension. Skip the MCT step .\n"); + return OPJ_FALSE; + } + if (tcd->tcp->tccps[0].qmfbid == 1) { mct_decode( tile->comps[0].data,