blob: e4373d0d32cb11da2feda28e1ee6e328cbddf166 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 30 Nov 2020 22:31:51 +0100
Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
used, that would result in a heap buffer overflow (fixes #1284)
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
CVE: CVE-2020-27823
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
src/bin/jp2/convertpng.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
index 328c91beb..00f596e27 100644
--- a/src/bin/jp2/convertpng.c
+++ b/src/bin/jp2/convertpng.c
@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
image->x0 = (OPJ_UINT32)params->image_offset_x0;
image->y0 = (OPJ_UINT32)params->image_offset_y0;
image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)
- params->subsampling_dx + 1 + image->x0);
+ params->subsampling_dx + 1);
image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
- params->subsampling_dy + 1 + image->y0);
+ params->subsampling_dy + 1);
row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
if (row32s == NULL) {
|