diff options
| author | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
|---|---|---|
| committer | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
| commit | 15ffda3bcd697e6f3a0cc13e141da865f36f3b53 (patch) | |
| tree | f98d9fc831f18a9194818f5428466884654e802b /source/blender/imbuf/intern/jp2.c | |
| parent | 2d60845786aeab099c61ffa42b7f72cccc68bff1 (diff) | |
Fix T82602: checking image header reads past buffer bounds
Use the size argument to ensure checking the header doesn't read
past the buffer bounds when reading corrupt/truncated headers
from image files.
Diffstat (limited to 'source/blender/imbuf/intern/jp2.c')
| -rw-r--r-- | source/blender/imbuf/intern/jp2.c | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/source/blender/imbuf/intern/jp2.c b/source/blender/imbuf/intern/jp2.c index b964510b8db..e19589317d7 100644 --- a/source/blender/imbuf/intern/jp2.c +++ b/source/blender/imbuf/intern/jp2.c @@ -58,31 +58,38 @@ enum { DCP_CINEMA4K = 4, }; -static bool check_jp2(const unsigned char *mem) /* J2K_CFMT */ +static bool check_jp2(const unsigned char *mem, const size_t size) /* J2K_CFMT */ { + if (size < sizeof(JP2_HEAD)) { + return false; + } return memcmp(JP2_HEAD, mem, sizeof(JP2_HEAD)) ? 0 : 1; } -static bool check_j2k(const unsigned char *mem) /* J2K_CFMT */ +static bool check_j2k(const unsigned char *mem, const size_t size) /* J2K_CFMT */ { + if (size < sizeof(J2K_HEAD)) { + return false; + } return memcmp(J2K_HEAD, mem, sizeof(J2K_HEAD)) ? 0 : 1; } -static OPJ_CODEC_FORMAT format_from_header(const unsigned char mem[JP2_FILEHEADER_SIZE]) +static OPJ_CODEC_FORMAT format_from_header(const unsigned char mem[JP2_FILEHEADER_SIZE], + const size_t size) { - if (check_jp2(mem)) { + if (check_jp2(mem, size)) { return OPJ_CODEC_JP2; } - if (check_j2k(mem)) { + if (check_j2k(mem, size)) { return OPJ_CODEC_J2K; } return OPJ_CODEC_UNKNOWN; } -bool imb_is_a_jp2(const unsigned char *buf, size_t UNUSED(size)) +bool imb_is_a_jp2(const unsigned char *buf, size_t size) { - return (check_jp2(buf) || check_j2k(buf)); + return (check_jp2(buf, size) || check_j2k(buf, size)); } /** @@ -317,7 +324,7 @@ ImBuf *imb_load_jp2(const unsigned char *mem, int flags, char colorspace[IM_MAX_SPACE]) { - const OPJ_CODEC_FORMAT format = (size > JP2_FILEHEADER_SIZE) ? format_from_header(mem) : + const OPJ_CODEC_FORMAT format = (size > JP2_FILEHEADER_SIZE) ? format_from_header(mem, size) : OPJ_CODEC_UNKNOWN; struct BufInfo buf_wrapper = { .buf = mem, @@ -348,7 +355,7 @@ ImBuf *imb_load_jp2_filepath(const char *filepath, int flags, char colorspace[IM fseek(p_file, 0, SEEK_SET); - const OPJ_CODEC_FORMAT format = format_from_header(mem); + const OPJ_CODEC_FORMAT format = format_from_header(mem, sizeof(mem)); ImBuf *ibuf = imb_load_jp2_stream(stream, format, flags, colorspace); opj_stream_destroy(stream); return ibuf; |