openjpeg
openjpeg copied to clipboard
uclouvain
Potential heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c
There are two missing checks for length in function t2_encode_packet in src/lib/openmj2/t2.c . (see #992 )
167 /* <SOP 0xff91> */
168 if (tcp->csty & J2K_CP_CSTY_SOP) {
169 c[0] = 255;
170 c[1] = 145;
171 c[2] = 0;
172 c[3] = 4;
173 c[4] = (unsigned char)((tile->packno % 65536) / 256);
174 c[5] = (unsigned char)((tile->packno % 65536) % 256);
175 c += 6;
176 }
177 /* </SOP> */
...
273 /* <EPH 0xff92> */
274 if (tcp->csty & J2K_CP_CSTY_EPH) {
275 c[0] = 255;
276 c[1] = 146;
277 c += 2;
278 }
279 /* </EPH> */
Below is the proposal patch for t2_encode_packet function.
167 /* <SOP 0xff91> */
168 if (tcp->csty & J2K_CP_CSTY_SOP) {
+ if (length < 6) {
+ if (p_t2_mode == FINAL_PASS) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "opj_t2_encode_packet(): only %u bytes remaining in "
+ "output buffer. %u needed.\n",
+ length, 6);
+ }
+ return OPJ_FALSE;
+ }
169 c[0] = 255;
170 c[1] = 145;
171 c[2] = 0;
172 c[3] = 4;
173 c[4] = (unsigned char)((tile->packno % 65536) / 256);
174 c[5] = (unsigned char)((tile->packno % 65536) % 256);
175 c += 6;
176 }
177 /* </SOP> */
...
273 /* <EPH 0xff92> */
274 if (tcp->csty & J2K_CP_CSTY_EPH) {
+ if (length < 2) {
+ if (p_t2_mode == FINAL_PASS) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "opj_t2_encode_packet(): only %u bytes remaining in "
+ "output buffer. %u needed.\n",
+ length, 2);
+ }
+ return OPJ_FALSE;
+ }
275 c[0] = 255;
276 c[1] = 146;
277 c += 2;
278 }
279 /* </EPH> */
