projects / openjpeg.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[trunk] fixed a possible overflow in opj_t1_encode_cblks call to opj_int_fix_mul...
[openjpeg.git] / src / lib / openjp2 / t2.c
diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c
index f2a7c9a57cbd659b127a3bc75bcc409327436619..6f0ac9156997bcc3d19dc561b3f2572bce9af8c9 100644 (file)
--- a/src/lib/openjp2/t2.c
+++ b/src/lib/openjp2/t2.c
@@ -242,6 +242,11 @@ OPJ_BOOL opj_t2_encode_packets( opj_t2_t* p_t2,
                                 /* TODO MSD : check why this function cannot fail (cf. v1) */
                                 opj_pi_create_encode(l_pi, l_cp,p_tile_no,poc,l_tp_num,p_tp_pos,p_t2_mode);
 
+                                if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) {
+                                    /* TODO ADE : add an error */
+                                    opj_pi_destroy(l_pi, l_nb_pocs);
+                                    return OPJ_FALSE;
+                                }
                                 while (opj_pi_next(l_current_pi)) {
                                         if (l_current_pi->layno < p_maxlayers) {
                                                 l_nb_bytes = 0;
@@ -274,7 +279,11 @@ OPJ_BOOL opj_t2_encode_packets( opj_t2_t* p_t2,
                 opj_pi_create_encode(l_pi, l_cp,p_tile_no,p_pino,p_tp_num,p_tp_pos,p_t2_mode);
 
                 l_current_pi = &l_pi[p_pino];
-
+                if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) {
+                    /* TODO ADE : add an error */
+                    opj_pi_destroy(l_pi, l_nb_pocs);
+                    return OPJ_FALSE;
+                }
                 while (opj_pi_next(l_current_pi)) {
                         if (l_current_pi->layno < p_maxlayers) {
                                 l_nb_bytes=0;
@@ -378,7 +387,15 @@ OPJ_BOOL opj_t2_decode_packets( opj_t2_t *p_t2,
                  * l_current_pi->resno is always >= p_tile->comps[l_current_pi->compno].minimum_num_resolutions
                  * and no l_img_comp->resno_decoded are computed
                  */
-                OPJ_BOOL* first_pass_failed = (OPJ_BOOL*)opj_malloc(l_image->numcomps * sizeof(OPJ_BOOL));
+                OPJ_BOOL* first_pass_failed = NULL;
+                                       
+                if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) {
+                    /* TODO ADE : add an error */
+                    opj_pi_destroy(l_pi, l_nb_pocs);
+                    return OPJ_FALSE;
+                }
+                                       
+                first_pass_failed = (OPJ_BOOL*)opj_malloc(l_image->numcomps * sizeof(OPJ_BOOL));
                 if (!first_pass_failed)
                 {
                     opj_pi_destroy(l_pi,l_nb_pocs);
@@ -1132,7 +1149,7 @@ OPJ_BOOL opj_t2_read_packet_data(   opj_t2_t* p_t2,
 
                         do {
                                 /* Check possible overflow (on l_current_data only, assumes input args already checked) then size */
-                                if (((OPJ_SIZE_T)(l_current_data + l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) {
+                                if ((((OPJ_SIZE_T)l_current_data + (OPJ_SIZE_T)l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) {
                                         fprintf(stderr, "read: segment too long (%d) with max (%d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n",
                                                 l_seg->newlen, p_max_length, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno);
                                         return OPJ_FALSE;
@@ -1265,7 +1282,8 @@ OPJ_BOOL opj_t2_skip_packet_data(   opj_t2_t* p_t2,
                         }
 
                         do {
-                                if (* p_data_read + l_seg->newlen > p_max_length) {
+                                /* Check possible overflow then size */
+                                if (((*p_data_read + l_seg->newlen) < (*p_data_read)) || ((*p_data_read + l_seg->newlen) > p_max_length)) {
                                         fprintf(stderr, "skip: segment too long (%d) with max (%d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n",
                                                 l_seg->newlen, p_max_length, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno);
                                         return OPJ_FALSE;
Fork of openjpeg with some changes used by DCP-o-matic.