opj_j2k_merge_ppm(): avoid unsigned-integer-overflow at j2k.c:3962 (#1490)

author headshog <craaaaaachind@gmail.com>

Wed, 6 Dec 2023 14:30:29 +0000 (17:30 +0300)

committer Even Rouault <even.rouault@spatialys.com>

Fri, 8 Dec 2023 14:03:54 +0000 (15:03 +0100)
author headshog <craaaaaachind@gmail.com>
Wed, 6 Dec 2023 14:30:29 +0000 (17:30 +0300)
committer Even Rouault <even.rouault@spatialys.com>
Fri, 8 Dec 2023 14:03:54 +0000 (15:03 +0100)
diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c

index 9dbba8f1be3f3108b779ec7719ceec1e1d4246ab..9db1bbd7fa2bef48eb80a0bc8ebf4640a2873d87 100644 (file)
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -3959,9 +3959,12 @@ static OPJ_BOOL opj_j2k_merge_ppm(opj_cp_t *p_cp, opj_event_mgr_t * p_manager)
                      opj_read_bytes(l_data, &l_N_ppm, 4);
                      l_data += 4;
                      l_data_size -= 4;
-                    l_ppm_data_size +=
-                        l_N_ppm; /* can't overflow, max 256 markers of max 65536 bytes, that is when PPM markers are not corrupted which is checked elsewhere */
  
+                    if (l_ppm_data_size > UINT_MAX - l_N_ppm) {
+                        opj_event_msg(p_manager, EVT_ERROR, "Too large value for Nppm\n");
+                        return OPJ_FALSE;
+                    }
+                    l_ppm_data_size += l_N_ppm;
                      if (l_data_size >= l_N_ppm) {
                          l_data_size -= l_N_ppm;
                          l_data += l_N_ppm;
author	headshog <craaaaaachind@gmail.com>
	Wed, 6 Dec 2023 14:30:29 +0000 (17:30 +0300)
committer	Even Rouault <even.rouault@spatialys.com>
	Fri, 8 Dec 2023 14:03:54 +0000 (15:03 +0100)