projects
/
openjpeg.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
opj_j2k_merge_ppm(): avoid unsigned-integer-overflow at j2k.c:3962 (#1490)
[openjpeg.git]
/
src
/
lib
/
openjp2
/
j2k.c
diff --git
a/src/lib/openjp2/j2k.c
b/src/lib/openjp2/j2k.c
index 9dbba8f1be3f3108b779ec7719ceec1e1d4246ab..9db1bbd7fa2bef48eb80a0bc8ebf4640a2873d87 100644
(file)
--- a/
src/lib/openjp2/j2k.c
+++ b/
src/lib/openjp2/j2k.c
@@
-3959,9
+3959,12
@@
static OPJ_BOOL opj_j2k_merge_ppm(opj_cp_t *p_cp, opj_event_mgr_t * p_manager)
opj_read_bytes(l_data, &l_N_ppm, 4);
l_data += 4;
l_data_size -= 4;
opj_read_bytes(l_data, &l_N_ppm, 4);
l_data += 4;
l_data_size -= 4;
- l_ppm_data_size +=
- l_N_ppm; /* can't overflow, max 256 markers of max 65536 bytes, that is when PPM markers are not corrupted which is checked elsewhere */
+ if (l_ppm_data_size > UINT_MAX - l_N_ppm) {
+ opj_event_msg(p_manager, EVT_ERROR, "Too large value for Nppm\n");
+ return OPJ_FALSE;
+ }
+ l_ppm_data_size += l_N_ppm;
if (l_data_size >= l_N_ppm) {
l_data_size -= l_N_ppm;
l_data += l_N_ppm;
if (l_data_size >= l_N_ppm) {
l_data_size -= l_N_ppm;
l_data += l_N_ppm;