40 lines
1.9 KiB
Diff
40 lines
1.9 KiB
Diff
From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
|
|
From: Kevin Backhouse <kevinbackhouse@github.com>
|
|
Date: Wed, 21 Apr 2021 12:06:04 +0100
|
|
Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
|
|
|
|
---
|
|
src/jp2image.cpp | 11 +++++++----
|
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
|
index 917d115..0825d99 100644
|
|
--- a/src/jp2image.cpp
|
|
+++ b/src/jp2image.cpp
|
|
@@ -626,15 +626,18 @@ namespace Exiv2
|
|
void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
|
|
{
|
|
DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
|
|
- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
|
|
- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
|
|
+ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
|
|
+ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
|
|
+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
|
|
Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
|
|
- int32_t length = getLong((byte*)&pBox->length, bigEndian);
|
|
- int32_t count = sizeof (Jp2BoxHeader);
|
|
+ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
|
|
+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
|
|
+ uint32_t count = sizeof (Jp2BoxHeader);
|
|
char* p = (char*) boxBuf.pData_;
|
|
bool bWroteColor = false ;
|
|
|
|
while ( count < length || !bWroteColor ) {
|
|
+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
|
|
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
|
|
|
|
// copy data. pointer could be into a memory mapped file which we will decode!
|
|
--
|
|
2.23.0
|
|
|