Skip to content

Commit 4a59cfa

Browse files
committed
Fixed a buffer overrun problem in the QMFB code in the JPC codec
that was caused by a buffer being allocated with a size that was too small in some cases. Added a new regression test case.
1 parent ed355a6 commit 4a59cfa

File tree

2 files changed

+15
-13
lines changed

2 files changed

+15
-13
lines changed

Diff for: data/test/bad/PoC1.jpc

233 Bytes
Binary file not shown.

Diff for: src/libjasper/jpc/jpc_qmfb.c

+15-13
Original file line numberDiff line numberDiff line change
@@ -374,7 +374,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
374374
register jpc_fix_t *dstptr;
375375
register int n;
376376
register int m;
377-
int hstartcol;
377+
int hstartrow;
378378

379379
/* Get a buffer. */
380380
if (bufsize > QMFB_SPLITBUFSIZE) {
@@ -385,9 +385,9 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
385385
}
386386

387387
if (numrows >= 2) {
388-
hstartcol = (numrows + 1 - parity) >> 1;
389-
// ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
390-
m = numrows - hstartcol;
388+
hstartrow = (numrows + 1 - parity) >> 1;
389+
// ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
390+
m = numrows - hstartrow;
391391

392392
/* Save the samples destined for the highpass channel. */
393393
n = m;
@@ -408,7 +408,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, int numrows, int stride,
408408
srcptr += stride << 1;
409409
}
410410
/* Copy the saved samples into the highpass channel. */
411-
dstptr = &a[hstartcol * stride];
411+
dstptr = &a[hstartrow * stride];
412412
srcptr = buf;
413413
n = m;
414414
while (n-- > 0) {
@@ -439,20 +439,21 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
439439
register int n;
440440
register int i;
441441
int m;
442-
int hstartcol;
442+
int hstartrow;
443443

444444
/* Get a buffer. */
445445
if (bufsize > QMFB_SPLITBUFSIZE) {
446-
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
446+
if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
447+
sizeof(jpc_fix_t)))) {
447448
/* We have no choice but to commit suicide in this case. */
448449
abort();
449450
}
450451
}
451452

452453
if (numrows >= 2) {
453-
hstartcol = (numrows + 1 - parity) >> 1;
454-
// ORIGINAL (WRONG): m = (parity) ? hstartcol : (numrows - hstartcol);
455-
m = numrows - hstartcol;
454+
hstartrow = (numrows + 1 - parity) >> 1;
455+
// ORIGINAL (WRONG): m = (parity) ? hstartrow : (numrows - hstartrow);
456+
m = numrows - hstartrow;
456457

457458
/* Save the samples destined for the highpass channel. */
458459
n = m;
@@ -485,7 +486,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, int numrows, int stride,
485486
srcptr += stride << 1;
486487
}
487488
/* Copy the saved samples into the highpass channel. */
488-
dstptr = &a[hstartcol * stride];
489+
dstptr = &a[hstartrow * stride];
489490
srcptr = buf;
490491
n = m;
491492
while (n-- > 0) {
@@ -526,7 +527,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, int numrows, int numcols,
526527

527528
/* Get a buffer. */
528529
if (bufsize > QMFB_SPLITBUFSIZE) {
529-
if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
530+
if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
530531
/* We have no choice but to commit suicide in this case. */
531532
abort();
532533
}
@@ -721,7 +722,8 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, int numrows, int stride,
721722

722723
/* Allocate memory for the join buffer from the heap. */
723724
if (bufsize > QMFB_JOINBUFSIZE) {
724-
if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE, sizeof(jpc_fix_t)))) {
725+
if (!(buf = jas_alloc3(bufsize, JPC_QMFB_COLGRPSIZE,
726+
sizeof(jpc_fix_t)))) {
725727
/* We have no choice but to commit suicide. */
726728
abort();
727729
}

0 commit comments

Comments
 (0)