Tree - rpms/exiv2 - CentOS Git server

rpms / exiv2

Files

Commit: e4b251947d653200a60e1dcf3ea629758abf9c5c

Blob Blame History Raw

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 0de088d..6310c08 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
         int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
         int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+        enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
         int32_t       length = getLong((byte*)&pBox->length, bigEndian);
+        enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
         int32_t       count  = sizeof (Jp2BoxHeader);
         char*         p      = (char*) boxBuf.pData_;
         bool          bWroteColor = false ;
 
         while ( count < length || !bWroteColor ) {
+            enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
 
             // copy data.  pointer could be into a memory mapped file which we will decode!

rpms / exiv2

Source Code

Files