Skip to content

Commit f703806

Browse files
committed
Added some missing sanity checks on the data in a SIZ marker segment.
1 parent dee1b64 commit f703806

File tree

1 file changed

+41
-16
lines changed

1 file changed

+41
-16
lines changed

Diff for: src/libjasper/jpc/jpc_cs.c

+41-16
Original file line numberDiff line numberDiff line change
@@ -489,6 +489,8 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
489489
unsigned int i;
490490
uint_fast8_t tmp;
491491

492+
siz->comps = 0;
493+
492494
/* Eliminate compiler warning about unused variables. */
493495
cstate = 0;
494496

@@ -502,44 +504,67 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
502504
jpc_getuint32(in, &siz->tilexoff) ||
503505
jpc_getuint32(in, &siz->tileyoff) ||
504506
jpc_getuint16(in, &siz->numcomps)) {
505-
return -1;
507+
goto error;
506508
}
507-
if (!siz->width || !siz->height || !siz->tilewidth ||
508-
!siz->tileheight || !siz->numcomps || siz->numcomps > 16384) {
509-
return -1;
509+
if (!siz->width || !siz->height) {
510+
jas_eprintf("reference grid cannot have zero area\n");
511+
goto error;
510512
}
511-
if (siz->tilexoff >= siz->width || siz->tileyoff >= siz->height) {
512-
jas_eprintf("all tiles are outside the image area\n");
513-
return -1;
513+
if (!siz->tilewidth || !siz->tileheight) {
514+
jas_eprintf("tile cannot have zero area\n");
515+
goto error;
516+
}
517+
if (!siz->numcomps || siz->numcomps > 16384) {
518+
jas_eprintf("number of components not in permissible range\n");
519+
goto error;
514520
}
521+
if (siz->xoff >= siz->width) {
522+
jas_eprintf("XOsiz not in permissible range\n");
523+
goto error;
524+
}
525+
if (siz->yoff >= siz->height) {
526+
jas_eprintf("YOsiz not in permissible range\n");
527+
goto error;
528+
}
529+
if (siz->tilexoff > siz->xoff || siz->tilexoff + siz->tilewidth <= siz->xoff) {
530+
jas_eprintf("XTOsiz not in permissible range\n");
531+
goto error;
532+
}
533+
if (siz->tileyoff > siz->yoff || siz->tileyoff + siz->tileheight <= siz->yoff) {
534+
jas_eprintf("YTOsiz not in permissible range\n");
535+
goto error;
536+
}
537+
515538
if (!(siz->comps = jas_alloc2(siz->numcomps, sizeof(jpc_sizcomp_t)))) {
516-
return -1;
539+
goto error;
517540
}
518541
for (i = 0; i < siz->numcomps; ++i) {
519542
if (jpc_getuint8(in, &tmp) ||
520543
jpc_getuint8(in, &siz->comps[i].hsamp) ||
521544
jpc_getuint8(in, &siz->comps[i].vsamp)) {
522-
jas_free(siz->comps);
523-
return -1;
545+
goto error;
524546
}
525547
if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) {
526548
jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp);
527-
jas_free(siz->comps);
528-
return -1;
549+
goto error;
529550
}
530551
if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) {
531552
jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp);
532-
jas_free(siz->comps);
533-
return -1;
553+
goto error;
534554
}
535555
siz->comps[i].sgnd = (tmp >> 7) & 1;
536556
siz->comps[i].prec = (tmp & 0x7f) + 1;
537557
}
538558
if (jas_stream_eof(in)) {
539-
jas_free(siz->comps);
540-
return -1;
559+
goto error;
541560
}
542561
return 0;
562+
563+
error:
564+
if (siz->comps) {
565+
jas_free(siz->comps);
566+
}
567+
return -1;
543568
}
544569

545570
static int jpc_siz_putparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *out)

0 commit comments

Comments
 (0)