| From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 |
| From: Even Rouault <even.rouault@spatialys.com> |
| Date: Sat, 11 Jan 2020 01:51:19 +0100 |
| Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose |
| coordinates are beyond INT_MAX (fixes #1228) |
| |
| CVE: CVE-2020-6851 |
| |
| Signed-off-by: Mingde (Matthew) Zeng <matthew.zeng@windriver.com> |
| |
| --- |
| src/lib/openjp2/j2k.c | 8 ++++++++ |
| 1 file changed, 8 insertions(+) |
| |
| diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c |
| index 14f6ff41..922550eb 100644 |
| --- a/src/lib/openjp2/j2k.c |
| +++ b/src/lib/openjp2/j2k.c |
| @@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim |
| l_img_comp = p_image->comps; |
| for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { |
| OPJ_INT32 l_h, l_w; |
| + if (p_image->x0 > (OPJ_UINT32)INT_MAX || |
| + p_image->y0 > (OPJ_UINT32)INT_MAX || |
| + p_image->x1 > (OPJ_UINT32)INT_MAX || |
| + p_image->y1 > (OPJ_UINT32)INT_MAX) { |
| + opj_event_msg(p_manager, EVT_ERROR, |
| + "Image coordinates above INT_MAX are not supported\n"); |
| + return OPJ_FALSE; |
| + } |
| |
| l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, |
| (OPJ_INT32)l_img_comp->dx); |
| -- |
| 2.17.1 |
| |