opj_dwt_decode_partial_tile(): avoid undefined behaviour in lifting operation by...

author Even Rouault <even.rouault@spatialys.com>

Fri, 1 Sep 2017 14:30:32 +0000 (16:30 +0200)

committer Even Rouault <even.rouault@spatialys.com>

Fri, 1 Sep 2017 14:30:32 +0000 (16:30 +0200)
author Even Rouault <even.rouault@spatialys.com>
Fri, 1 Sep 2017 14:30:32 +0000 (16:30 +0200)
committer Even Rouault <even.rouault@spatialys.com>
Fri, 1 Sep 2017 14:30:32 +0000 (16:30 +0200)
diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c

index b32508dbf931afcab6e6bf3ab9cac24087ee7142..047981d6d2bd8e1df4c68d630ec3583a0f37cec3 100644 (file)
--- a/src/lib/openjp2/dwt.c
+++ b/src/lib/openjp2/dwt.c
@@ -1858,6 +1858,19 @@ static OPJ_BOOL opj_dwt_decode_partial_tile(
          for (j = 0; j < rh; ++j) {
              if ((j >= win_ll_y0 && j < win_ll_y1) ||
                      (j >= win_lh_y0 + (OPJ_UINT32)v.sn && j < win_lh_y1 + (OPJ_UINT32)v.sn)) {
+
+                /* Avoids dwt.c:1584:44 (in opj_dwt_decode_partial_1): runtime error: */
+                /* signed integer overflow: -1094795586 + -1094795586 cannot be represented in type 'int' */
+                /* on opj_decompress -i  ../../openjpeg/MAPA.jp2 -o out.tif -d 0,0,256,256 */
+                /* This is less extreme than memsetting the whole buffer to 0 */
+                /* although we could potentially do better with better handling of edge conditions */
+                if (win_tr_x1 >= 1 && win_tr_x1 < rw) {
+                    h.mem[win_tr_x1 - 1] = 0;
+                }
+                if (win_tr_x1 < rw) {
+                    h.mem[win_tr_x1] = 0;
+                }
+
                  opj_dwt_interleave_partial_h(h.mem,
                                               h.cas,
                                               sa,
author	Even Rouault <even.rouault@spatialys.com>
	Fri, 1 Sep 2017 14:30:32 +0000 (16:30 +0200)
committer	Even Rouault <even.rouault@spatialys.com>
	Fri, 1 Sep 2017 14:30:32 +0000 (16:30 +0200)