openjpeg2/backport-CVE-2020-27845.patch

From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 4 Dec 2020 20:45:25 +0100
Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302)

---
 src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index d62b8d74a..4f7dd50f1 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -240,6 +240,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi)
     opj_pi_resolution_t *res = NULL;
     OPJ_UINT32 index = 0;
 
+    if (pi->poc.compno0 >= pi->numcomps ||
+            pi->poc.compno1 >= pi->numcomps + 1) {
+        opj_event_msg(pi->manager, EVT_ERROR,
+                      "opj_pi_next_lrcp(): invalid compno0/compno1\n");
+        return OPJ_FALSE;
+    }
+
     if (!pi->first) {
         comp = &pi->comps[pi->compno];
         res = &comp->resolutions[pi->resno];
@@ -293,6 +300,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_iterator_t * pi)
     opj_pi_resolution_t *res = NULL;
     OPJ_UINT32 index = 0;
 
+    if (pi->poc.compno0 >= pi->numcomps ||
+            pi->poc.compno1 >= pi->numcomps + 1) {
+        opj_event_msg(pi->manager, EVT_ERROR,
+                      "opj_pi_next_rlcp(): invalid compno0/compno1\n");
+        return OPJ_FALSE;
+    }
+
     if (!pi->first) {
         comp = &pi->comps[pi->compno];
         res = &comp->resolutions[pi->resno];
@@ -339,6 +353,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi)
     opj_pi_resolution_t *res = NULL;
     OPJ_UINT32 index = 0;
 
+    if (pi->poc.compno0 >= pi->numcomps ||
+            pi->poc.compno1 >= pi->numcomps + 1) {
+        opj_event_msg(pi->manager, EVT_ERROR,
+                      "opj_pi_next_rpcl(): invalid compno0/compno1\n");
+        return OPJ_FALSE;
+    }
+
     if (!pi->first) {
         goto LABEL_SKIP;
     } else {
@@ -474,7 +495,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi)
     if (pi->poc.compno0 >= pi->numcomps ||
             pi->poc.compno1 >= pi->numcomps + 1) {
         opj_event_msg(pi->manager, EVT_ERROR,
-                      "opj_pi_next_pcrl(): invalid compno0/compno1");
+                      "opj_pi_next_pcrl(): invalid compno0/compno1\n");
         return OPJ_FALSE;
     }
 
@@ -612,7 +633,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi)
     if (pi->poc.compno0 >= pi->numcomps ||
             pi->poc.compno1 >= pi->numcomps + 1) {
         opj_event_msg(pi->manager, EVT_ERROR,
-                      "opj_pi_next_cprl(): invalid compno0/compno1");
+                      "opj_pi_next_cprl(): invalid compno0/compno1\n");
         return OPJ_FALSE;
     }