[trunk] Fix heap buffer overflow

[openjpeg.git] / libopenjpeg / j2k.c

diff --git a/libopenjpeg/j2k.c b/libopenjpeg/j2k.c
index 80cb27482d9288be2ad70e049d156c0791d53a63..d2e5c927c5e0b63157821ce98c2feadd2a972747 100644 (file)
--- a/libopenjpeg/j2k.c
+++ b/libopenjpeg/j2k.c
@@ -4582,7 +4582,7 @@ opj_bool j2k_read_plt_v2 (
        assert(p_manager != 00);
 
        if (p_header_size < 1) {
-               opj_event_msg_v2(p_manager, EVT_ERROR, "Error reading PLM marker\n");
+               opj_event_msg_v2(p_manager, EVT_ERROR, "Error reading PLT marker\n");
                return OPJ_FALSE;
        }
 
@@ -4605,7 +4605,7 @@ opj_bool j2k_read_plt_v2 (
        }
 
        if (l_packet_len != 0) {
-               opj_event_msg_v2(p_manager, EVT_ERROR, "Error reading PLM marker\n");
+               opj_event_msg_v2(p_manager, EVT_ERROR, "Error reading PLT marker\n");
                return OPJ_FALSE;
        }
 
@@ -5240,7 +5240,7 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
                static int backup_tileno = 0;
 
                /* tileno is negative or larger than the number of tiles!!! */
-               if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
+               if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
                        opj_event_msg(j2k->cinfo, EVT_ERROR,
                                "JPWL: bad tile number (%d out of a maximum of %d)\n",
                                tileno, (cp->tw * cp->th));
@@ -5257,8 +5257,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
 
                /* keep your private count of tiles */
                backup_tileno++;
-       };
+       }
+  else
 #endif /* USE_JPWL */
+  {
+    /* tileno is negative or larger than the number of tiles!!! */
+    if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+      opj_event_msg(j2k->cinfo, EVT_ERROR,
+        "JPWL: bad tile number (%d out of a maximum of %d)\n",
+        tileno, (cp->tw * cp->th));
+      return;
+    }
+  }
        
        if (cp->tileno_size == 0) {
                cp->tileno[cp->tileno_size] = tileno;
@@ -5297,8 +5307,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
                                totlen);
                }
 
-       };
+       }
+  else
 #endif /* USE_JPWL */
+  {
+    /* totlen is negative or larger than the bytes left!!! */
+    if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
+      opj_event_msg(j2k->cinfo, EVT_ERROR,
+        "JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
+        totlen, cio_numbytesleft(cio) + 8);
+      return;
+    }
+  }
 
        if (!totlen)
                totlen = cio_numbytesleft(cio) + 8;
@@ -5520,6 +5540,7 @@ opj_bool j2k_read_sot_v2 (
        /* Index */
        if (p_j2k->cstr_index)
        {
+    assert(p_j2k->cstr_index->tile_index != 00);
                p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].tileno = p_j2k->m_current_tile_number;
                p_j2k->cstr_index->tile_index[p_j2k->m_current_tile_number].current_tpsno = l_current_part;
 
@@ -6033,7 +6054,9 @@ opj_bool j2k_write_eoc_v2(        opj_j2k_v2_t *p_j2k,
 /* UniPG>> */
 #ifdef USE_JPWL
        /* update markers struct */
+       /*
        j2k_add_marker(p_j2k->cstr_info, J2K_MS_EOC, p_stream_tell(p_stream) - 2, 2);
+*/
 #endif /* USE_JPWL */
 
        if ( opj_stream_write_data(p_stream,p_j2k->m_specific_param.m_encoder.m_header_tile_data,2,p_manager) != 2) {
@@ -11795,7 +11818,7 @@ static opj_bool j2k_decode_one_tile (   opj_j2k_v2_t *p_j2k,
                if(l_current_tile_no == l_tile_no_to_dec)
                {
                        /* move into the codestream to the the first SOT (FIXME or not move?)*/
-                       if (opj_stream_read_seek(p_stream, p_j2k->cstr_index->main_head_end + 2, p_manager) ) {
+                       if (!(opj_stream_read_seek(p_stream, p_j2k->cstr_index->main_head_end + 2, p_manager) ) ) {
                                opj_event_msg_v2(p_manager, EVT_ERROR, "Problem with seek function\n");
                                return OPJ_FALSE;
                        }