Fix write heap buffer overflow in opj_mqc_byteout(). Discovered by Ke Liu of Tencent...

author Even Rouault <even.rouault@spatialys.com>

Sat, 29 Jul 2017 17:13:49 +0000 (19:13 +0200)

committer Even Rouault <even.rouault@spatialys.com>

Sat, 29 Jul 2017 17:13:49 +0000 (19:13 +0200)
author Even Rouault <even.rouault@spatialys.com>
Sat, 29 Jul 2017 17:13:49 +0000 (19:13 +0200)
committer Even Rouault <even.rouault@spatialys.com>
Sat, 29 Jul 2017 17:13:49 +0000 (19:13 +0200)
diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c

index 567798525be9b93c62488cef77badf6a743c7e7d..08c5a765a12910c26243ecaeefc2a5ad9186ec0e 100644 (file)
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1182,8 +1182,9 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
  {
      OPJ_UINT32 l_data_size;
  
-    l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-                               (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+                                   (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
  
      if (l_data_size > p_code_block->data_size) {
          if (p_code_block->data) {
author	Even Rouault <even.rouault@spatialys.com>
	Sat, 29 Jul 2017 17:13:49 +0000 (19:13 +0200)
committer	Even Rouault <even.rouault@spatialys.com>
	Sat, 29 Jul 2017 17:13:49 +0000 (19:13 +0200)