Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check bpno_plus_one in opj_t1_decode_cblk #903

Closed
npm1 opened this issue Mar 7, 2017 · 1 comment
Closed

Check bpno_plus_one in opj_t1_decode_cblk #903

npm1 opened this issue Mar 7, 2017 · 1 comment
Labels
bug

Comments

@npm1
Copy link

npm1 commented Mar 7, 2017

On method opj_t1_decode_cblk from t1.c, line 1808, we have:
bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps);
bpno_plus_one may only decrease throughout the method. It is used as a bit position in the methods called in opj_t1_decode_cblk. For example, in line 1903:
opj_t1_dec_clnpass_generic(t1, bpno_plus_one, (OPJ_INT32)cblksty);
leads to line 1200:
one = 1 << bpno;

I think we can add the following after line 1808:
if (bpno_plus_one > 30) { return OPJ_FALSE; }
This fixes undefined shifts that may be caused when the value is too large, and makes sense as it is a bit position. I can share a sample where UBSAN is complaining on request.
@rouault
Copy link
Collaborator

rouault commented Jul 29, 2017

Was fixed per db9ef99

@rouault rouault closed this as completed Jul 29, 2017
@detonin detonin added the bug label Aug 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@detonin @rouault @npm1