blob: 1c267c313b4839fe2d1df504c08c491598f17008 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
From 4ce7d285a55d29b79880d0566d4b010fe1907aa9 Mon Sep 17 00:00:00 2001
From: yuan <zodf0055980@gmail.com>
Date: Fri, 4 Dec 2020 19:00:22 +0800
Subject: [PATCH] Encoder: grow again buffer size in
opj_tcd_code_block_enc_allocate_data() (fixes #1283)
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
CVE: CVE-2020-27814
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
src/lib/openjp2/tcd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1240,9 +1240,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
/* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */
/* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */
/* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */
+ /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */
/* TODO: is there a theoretical upper-bound for the compressed code */
/* block size ? */
- l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
|
