1From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 2From: Kevin Backhouse <kevinbackhouse@github.com> 3Date: Wed, 21 Apr 2021 12:06:04 +0100 4Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header 5--- 6 src/jp2image.cpp | 3 +++ 7 1 file changed, 3 insertions(+) 8 9diff --git a/src/jp2image.cpp b/src/jp2image.cpp 10index b424225..349a9f0 100644 11--- a/src/jp2image.cpp 12+++ b/src/jp2image.cpp 13@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) 14 DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space 15 long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? 16 long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? 17+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); 18 Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; 19 uint32_t length = getLong((byte*)&pBox->length, bigEndian); 20+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); 21 uint32_t count = sizeof (Jp2BoxHeader); 22 char* p = (char*) boxBuf.pData_; 23 bool bWroteColor = false ; 24 25 while ( count < length || !bWroteColor ) { 26+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); 27 Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; 28 29 // copy data. pointer could be into a memory mapped file which we will decode! 30-- 312.25.1 32 33