Sophie

Sophie

distrib > Mageia > 5 > i586 > media > core-release-src > by-pkgid > 524257634c51af1864ec0107c9cc7cc8 > files > 2

mingw-openjpeg-1.5.1-6.mga5.src.rpm

Index: libopenjpeg/jp2.c
===================================================================
--- libopenjpeg/jp2.c	(revision 2028)
+++ libopenjpeg/jp2.c	(revision 2029)
@@ -173,6 +173,10 @@
 	else if (box->length == 0) {
 		box->length = cio_numbytesleft(cio) + 8;
 	}
+	if (box->length < 0) {
+		opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n");
+		return OPJ_FALSE; // TODO: actually check jp2_read_boxhdr's return value
+	}
 	
 	return OPJ_TRUE;
 }
@@ -654,6 +658,7 @@
         opj_event_msg(cinfo, EVT_ERROR, "Expected JP2H Marker\n");
         return OPJ_FALSE;
         }
+	  if (box.length <= 8) return OPJ_FALSE;
       cio_skip(cio, box.length - 8);
 
       if(cio->bp >= cio->end) return OPJ_FALSE;
@@ -679,6 +684,7 @@
       {
       if( !jp2_read_colr(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
@@ -689,6 +695,7 @@
       {
       if( !jp2_read_cdef(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
@@ -699,6 +706,7 @@
       {
       if( !jp2_read_pclr(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
@@ -709,12 +717,14 @@
       {
       if( !jp2_read_cmap(jp2, cio, &box, color))
         {
+        if (box.length <= 8) return OPJ_FALSE;
         cio_seek(cio, box.init_pos + 8);
         cio_skip(cio, box.length - 8);
         }
       if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
       continue;
       }
+    if (box.length <= 8) return OPJ_FALSE;
     cio_seek(cio, box.init_pos + 8);
     cio_skip(cio, box.length - 8);
     if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
@@ -910,12 +920,14 @@
   }
 	do {
 		if(JP2_JP2C != box.type) {
+			if (box.length <= 8) return OPJ_FALSE;
 			cio_skip(cio, box.length - 8);
 			if( jp2_read_boxhdr(cinfo, cio, &box) == OPJ_FALSE ) return OPJ_FALSE;
 		}
 	} while(JP2_JP2C != box.type);
 
 	*j2k_codestream_offset = cio_tell(cio);
+	if (box.length <= 8) return OPJ_FALSE;
 	*j2k_codestream_length = box.length - 8;
 
 	return OPJ_TRUE;

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional