diff options
author | Alex Cherepanov <alex.cherepanov@artifex.com> | 2012-08-09 00:51:35 -0400 |
---|---|---|
committer | Alex Cherepanov <alex.cherepanov@artifex.com> | 2012-08-09 00:51:35 -0400 |
commit | 946c6312efc2cbf74875d19fd7b49f3505ab7a81 (patch) | |
tree | a5c9abc49548be49586c4a0324bf607fcbfbea52 | |
parent | ef85034141b90c05ba0bc5e2ad40f834205b4f2a (diff) | |
download | ghostpdl-OpenJpeg-1.5.tar.gz |
Apply a patch for CVE-2012-3358OpenJpeg-1.5
See http://code.google.com/p/openjpeg/source/detail?r=1727
Other CVE patches are not needed for v.1.5.
-rw-r--r-- | gs/openjpeg/libopenjpeg/j2k.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/gs/openjpeg/libopenjpeg/j2k.c b/gs/openjpeg/libopenjpeg/j2k.c index a0a453f50..48701ee93 100644 --- a/gs/openjpeg/libopenjpeg/j2k.c +++ b/gs/openjpeg/libopenjpeg/j2k.c @@ -1269,7 +1269,7 @@ static void j2k_read_sot(opj_j2k_t *j2k) { static int backup_tileno = 0; /* tileno is negative or larger than the number of tiles!!! */ - if ((tileno < 0) || (tileno > (cp->tw * cp->th))) { + if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: bad tile number (%d out of a maximum of %d)\n", tileno, (cp->tw * cp->th)); @@ -1286,8 +1286,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) { /* keep your private count of tiles */ backup_tileno++; - }; + } + else #endif /* USE_JPWL */ + { + /* tileno is negative or larger than the number of tiles!!! */ + if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile number (%d out of a maximum of %d)\n", + tileno, (cp->tw * cp->th)); + return; + } + } if (cp->tileno_size == 0) { cp->tileno[cp->tileno_size] = tileno; @@ -1325,8 +1335,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) { totlen); } - }; + } + else #endif /* USE_JPWL */ + { + /* totlen is negative or larger than the bytes left!!! */ + if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile byte size (%d bytes against %d bytes left)\n", + totlen, cio_numbytesleft(cio) + 8); + return; + } + } if (!totlen) totlen = cio_numbytesleft(cio) + 8; |