Skip to content

Commit c535531

Browse files
committed
opj_t2_encode_packet(): fix potential write heap buffer overflow (#992)
1 parent dcac91b commit c535531

File tree

2 files changed

+24
-1
lines changed

2 files changed

+24
-1
lines changed

Diff for: src/lib/openjp2/j2k.c

+6-1
Original file line numberDiff line numberDiff line change
@@ -4215,7 +4215,6 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
42154215
assert(p_stream != 00);
42164216

42174217
OPJ_UNUSED(p_stream);
4218-
OPJ_UNUSED(p_manager);
42194218

42204219
if (p_total_data_size < 12) {
42214220
opj_event_msg(p_manager, EVT_ERROR,
@@ -4617,6 +4616,12 @@ static OPJ_BOOL opj_j2k_write_sod(opj_j2k_t *p_j2k,
46174616

46184617
OPJ_UNUSED(p_stream);
46194618

4619+
if (p_total_data_size < 4) {
4620+
opj_event_msg(p_manager, EVT_ERROR,
4621+
"Not enough bytes in output buffer to write SOD marker\n");
4622+
return OPJ_FALSE;
4623+
}
4624+
46204625
opj_write_bytes(p_data, J2K_MS_SOD,
46214626
2); /* SOD */
46224627
p_data += 2;

Diff for: src/lib/openjp2/t2.c

+18
Original file line numberDiff line numberDiff line change
@@ -629,6 +629,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
629629

630630
/* <SOP 0xff91> */
631631
if (tcp->csty & J2K_CP_CSTY_SOP) {
632+
if (length < 6) {
633+
if (p_t2_mode == FINAL_PASS) {
634+
opj_event_msg(p_manager, EVT_ERROR,
635+
"opj_t2_encode_packet(): only %u bytes remaining in "
636+
"output buffer. %u needed.\n",
637+
length, 6);
638+
}
639+
return OPJ_FALSE;
640+
}
632641
c[0] = 255;
633642
c[1] = 145;
634643
c[2] = 0;
@@ -817,6 +826,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno,
817826

818827
/* <EPH 0xff92> */
819828
if (tcp->csty & J2K_CP_CSTY_EPH) {
829+
if (length < 2) {
830+
if (p_t2_mode == FINAL_PASS) {
831+
opj_event_msg(p_manager, EVT_ERROR,
832+
"opj_t2_encode_packet(): only %u bytes remaining in "
833+
"output buffer. %u needed.\n",
834+
length, 2);
835+
}
836+
return OPJ_FALSE;
837+
}
820838
c[0] = 255;
821839
c[1] = 146;
822840
c += 2;

0 commit comments

Comments
 (0)