Skip to content

Commit e96fc4f

Browse files
committed
Fixed bugs due to uninitialized data in the JP2 decoder.
Also, added some comments marking I/O stream interfaces that probably need to be changed (in the long term) to fix integer overflow problems.
1 parent 7692d6d commit e96fc4f

File tree

2 files changed

+48
-14
lines changed

2 files changed

+48
-14
lines changed

Diff for: src/libjasper/base/jas_stream.c

+18
Original file line numberDiff line numberDiff line change
@@ -664,6 +664,7 @@ int jas_stream_ungetc(jas_stream_t *stream, int c)
664664
return 0;
665665
}
666666

667+
/* FIXME integral type */
667668
int jas_stream_read(jas_stream_t *stream, void *buf, int cnt)
668669
{
669670
int n;
@@ -690,6 +691,7 @@ int jas_stream_read(jas_stream_t *stream, void *buf, int cnt)
690691
return n;
691692
}
692693

694+
/* FIXME integral type */
693695
int jas_stream_write(jas_stream_t *stream, const void *buf, int cnt)
694696
{
695697
int n;
@@ -742,6 +744,7 @@ int jas_stream_puts(jas_stream_t *stream, const char *s)
742744
return 0;
743745
}
744746

747+
/* FIXME integral type */
745748
char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
746749
{
747750
int c;
@@ -765,6 +768,7 @@ char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
765768
return buf;
766769
}
767770

771+
/* FIXME integral type */
768772
int jas_stream_gobble(jas_stream_t *stream, int n)
769773
{
770774
int m;
@@ -783,6 +787,7 @@ int jas_stream_gobble(jas_stream_t *stream, int n)
783787
return n;
784788
}
785789

790+
/* FIXME integral type */
786791
int jas_stream_pad(jas_stream_t *stream, int n, int c)
787792
{
788793
int m;
@@ -885,6 +890,7 @@ long jas_stream_tell(jas_stream_t *stream)
885890
* Buffer initialization code.
886891
\******************************************************************************/
887892

893+
/* FIXME integral type */
888894
static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
889895
int bufsize)
890896
{
@@ -1060,6 +1066,7 @@ static int jas_strtoopenmode(const char *s)
10601066
return openmode;
10611067
}
10621068

1069+
/* FIXME integral type */
10631070
int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n)
10641071
{
10651072
int all;
@@ -1085,6 +1092,7 @@ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n)
10851092
return 0;
10861093
}
10871094

1095+
/* FIXME integral type */
10881096
long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt)
10891097
{
10901098
int old;
@@ -1094,6 +1102,7 @@ long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt)
10941102
return old;
10951103
}
10961104

1105+
/* FIXME integral type */
10971106
int jas_stream_display(jas_stream_t *stream, FILE *fp, int n)
10981107
{
10991108
unsigned char buf[16];
@@ -1168,6 +1177,7 @@ long jas_stream_length(jas_stream_t *stream)
11681177
* Memory stream object.
11691178
\******************************************************************************/
11701179

1180+
/* FIXME integral type */
11711181
static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt)
11721182
{
11731183
ssize_t n;
@@ -1209,6 +1219,7 @@ static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
12091219
return 0;
12101220
}
12111221

1222+
/* FIXME integral type */
12121223
static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt)
12131224
{
12141225
size_t n;
@@ -1264,6 +1275,7 @@ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt)
12641275
return ret;
12651276
}
12661277

1278+
/* FIXME integral type */
12671279
static long mem_seek(jas_stream_obj_t *obj, long offset, int origin)
12681280
{
12691281
jas_stream_memobj_t *m = (jas_stream_memobj_t *)obj;
@@ -1310,6 +1322,7 @@ static int mem_close(jas_stream_obj_t *obj)
13101322
* File stream object.
13111323
\******************************************************************************/
13121324

1325+
/* FIXME integral type */
13131326
static int file_read(jas_stream_obj_t *obj, char *buf, int cnt)
13141327
{
13151328
jas_stream_fileobj_t *fileobj;
@@ -1318,6 +1331,7 @@ static int file_read(jas_stream_obj_t *obj, char *buf, int cnt)
13181331
return read(fileobj->fd, buf, cnt);
13191332
}
13201333

1334+
/* FIXME integral type */
13211335
static int file_write(jas_stream_obj_t *obj, char *buf, int cnt)
13221336
{
13231337
jas_stream_fileobj_t *fileobj;
@@ -1326,6 +1340,7 @@ static int file_write(jas_stream_obj_t *obj, char *buf, int cnt)
13261340
return write(fileobj->fd, buf, cnt);
13271341
}
13281342

1343+
/* FIXME integral type */
13291344
static long file_seek(jas_stream_obj_t *obj, long offset, int origin)
13301345
{
13311346
jas_stream_fileobj_t *fileobj;
@@ -1352,6 +1367,7 @@ static int file_close(jas_stream_obj_t *obj)
13521367
* Stdio file stream object.
13531368
\******************************************************************************/
13541369

1370+
/* FIXME integral type */
13551371
static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt)
13561372
{
13571373
FILE *fp;
@@ -1367,6 +1383,7 @@ static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt)
13671383
return result;
13681384
}
13691385

1386+
/* FIXME integral type */
13701387
static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt)
13711388
{
13721389
FILE *fp;
@@ -1377,6 +1394,7 @@ static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt)
13771394
return (n != JAS_CAST(size_t, cnt)) ? (-1) : cnt;
13781395
}
13791396

1397+
/* FIXME integral type */
13801398
static long sfile_seek(jas_stream_obj_t *obj, long offset, int origin)
13811399
{
13821400
FILE *fp;

Diff for: src/libjasper/jp2/jp2_cod.c

+30-14
Original file line numberDiff line numberDiff line change
@@ -183,15 +183,28 @@ jp2_boxinfo_t jp2_boxinfo_unk = {
183183
* Box constructor.
184184
\******************************************************************************/
185185

186-
jp2_box_t *jp2_box_create(int type)
186+
jp2_box_t *jp2_box_create0()
187187
{
188188
jp2_box_t *box;
189-
jp2_boxinfo_t *boxinfo;
190-
191189
if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
192190
return 0;
193191
}
194192
memset(box, 0, sizeof(jp2_box_t));
193+
box->type = 0;
194+
box->len = 0;
195+
// Mark the box data as never having been constructed
196+
// so that we will not errantly attempt to destroy it later.
197+
box->ops = &jp2_boxinfo_unk.ops;
198+
return box;
199+
}
200+
201+
jp2_box_t *jp2_box_create(int type)
202+
{
203+
jp2_box_t *box;
204+
jp2_boxinfo_t *boxinfo;
205+
if (!(box = jp2_box_create0())) {
206+
return 0;
207+
}
195208
box->type = type;
196209
box->len = 0;
197210
if (!(boxinfo = jp2_boxinfolookup(type))) {
@@ -248,25 +261,22 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
248261
box = 0;
249262
tmpstream = 0;
250263

251-
if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
264+
if (!(box = jp2_box_create0())) {
252265
goto error;
253266
}
254-
255-
// Mark the box data as never having been constructed
256-
// so that we will not errantly attempt to destroy it later.
257-
box->ops = &jp2_boxinfo_unk.ops;
258-
259267
if (jp2_getuint32(in, &len) || jp2_getuint32(in, &box->type)) {
260268
goto error;
261269
}
262270
boxinfo = jp2_boxinfolookup(box->type);
263271
box->info = boxinfo;
264272
box->len = len;
265273
JAS_DBGLOG(10, (
266-
"preliminary processing of JP2 box: type=%c%s%c (0x%08x); length=%d\n",
274+
"preliminary processing of JP2 box: "
275+
"type=%c%s%c (0x%08x); length=%"PRIuFAST32"\n",
267276
'"', boxinfo->name, '"', box->type, box->len
268277
));
269278
if (box->len == 1) {
279+
JAS_DBGLOG(10, ("big length\n"));
270280
if (jp2_getuint64(in, &extlen)) {
271281
goto error;
272282
}
@@ -382,6 +392,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t *in)
382392
{
383393
jp2_bpcc_t *bpcc = &box->data.bpcc;
384394
unsigned int i;
395+
bpcc->bpcs = 0;
385396
bpcc->numcmpts = box->datalen;
386397
if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
387398
return -1;
@@ -462,6 +473,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t *in)
462473
jp2_cdef_t *cdef = &box->data.cdef;
463474
jp2_cdefchan_t *chan;
464475
unsigned int channo;
476+
cdef->ents = 0;
465477
if (jp2_getuint16(in, &cdef->numchans)) {
466478
return -1;
467479
}
@@ -518,7 +530,9 @@ int jp2_box_put(jp2_box_t *box, jas_stream_t *out)
518530
}
519531

520532
if (dataflag) {
521-
if (jas_stream_copy(out, tmpstream, box->len - JP2_BOX_HDRLEN(false))) {
533+
if (jas_stream_copy(out, tmpstream, box->len -
534+
JP2_BOX_HDRLEN(false))) {
535+
jas_eprintf("cannot copy box data\n");
522536
goto error;
523537
}
524538
jas_stream_close(tmpstream);
@@ -777,6 +791,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t *in)
777791
jp2_cmap_t *cmap = &box->data.cmap;
778792
jp2_cmapent_t *ent;
779793
unsigned int i;
794+
cmap->ents = 0;
780795

781796
cmap->numchans = (box->datalen) / 4;
782797
if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
@@ -835,6 +850,7 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
835850
int_fast32_t x;
836851

837852
pclr->lutdata = 0;
853+
pclr->bpc = 0;
838854

839855
if (jp2_getuint16(in, &pclr->numlutents) ||
840856
jp2_getuint8(in, &pclr->numchans)) {
@@ -869,9 +885,9 @@ static int jp2_pclr_putdata(jp2_box_t *box, jas_stream_t *out)
869885
#if 0
870886
jp2_pclr_t *pclr = &box->data.pclr;
871887
#endif
872-
/* Eliminate warning about unused variable. */
873-
box = 0;
874-
out = 0;
888+
/* Eliminate warning about unused variable. */
889+
box = 0;
890+
out = 0;
875891
return -1;
876892
}
877893

0 commit comments

Comments
 (0)