blob: eedf9d79aa1b8cbb579f8f016880c360fa98a27d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 21 Apr 2021 12:06:04 +0100
Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
---
src/jp2image.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index b424225..349a9f0 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
uint32_t length = getLong((byte*)&pBox->length, bigEndian);
+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
uint32_t count = sizeof (Jp2BoxHeader);
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
while ( count < length || !bWroteColor ) {
+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
--
2.25.1
|
