diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index 0af52f8..2fc4e9b 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -622,31 +622,38 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) { - OPJ_UINT32 x, y; + OPJ_UINT32 x, y, written; OPJ_UINT8 *pix; const OPJ_UINT8 *beyond; beyond = pData + stride * height; pix = pData; - x = y = 0U; + x = y = written = 0U; while (y < height) { int c = getc(IN); if (c == EOF) { - break; + return OPJ_FALSE; } if (c) { /* encoded mode */ - int j; - OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); + int j, c1_int; + OPJ_UINT8 c1; + + c1_int = getc(IN); + if (c1_int == EOF) { + return OPJ_FALSE; + } + c1 = (OPJ_UINT8)c1_int; for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; } } else { /* absolute mode */ c = getc(IN); if (c == EOF) { - break; + return OPJ_FALSE; } if (c == 0x00) { /* EOL */ @@ -657,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, break; } else if (c == 0x02) { /* MOVE by dxdy */ c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } x += (OPJ_UINT32)c; c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } y += (OPJ_UINT32)c; pix = pData + y * stride + x; } else { /* 03 .. 255 : absolute mode */ @@ -668,16 +681,29 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { if ((j & 1) == 0) { - c1 = (OPJ_UINT8)getc(IN); + int c1_int; + c1_int = getc(IN); + if (c1_int == EOF) { + return OPJ_FALSE; + } + c1 = (OPJ_UINT8)c1_int; } *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; } if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ - getc(IN); + c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } } } } } /* while(y < height) */ + if (written != width * height) { + fprintf(stderr, "warning, image's actual size does not match advertized one\n"); + return OPJ_FALSE; + } return OPJ_TRUE; } diff --git a/src/bin/jpip/CMakeLists.txt b/src/bin/jpip/CMakeLists.txt index 301d885..b412510 100644 --- a/src/bin/jpip/CMakeLists.txt +++ b/src/bin/jpip/CMakeLists.txt @@ -61,10 +61,10 @@ find_package(Java 1.5 COMPONENTS Development) # javac, jar # User can override this: if(NOT DEFINED JAVA_SOURCE_VERSION) - set(JAVA_SOURCE_VERSION 1.5) + set(JAVA_SOURCE_VERSION 1.7) endif() if(NOT DEFINED JAVA_TARGET_VERSION) - set(JAVA_TARGET_VERSION 1.5) + set(JAVA_TARGET_VERSION 1.7) endif() # Only build the java viewer if dev is found: diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 4169cd6..9e9a30f 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, l_img_comp = p_image->comps; for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { OPJ_INT32 l_h, l_w; + if (p_image->x0 > (OPJ_UINT32)INT_MAX || + p_image->y0 > (OPJ_UINT32)INT_MAX || + p_image->x1 > (OPJ_UINT32)INT_MAX || + p_image->y1 > (OPJ_UINT32)INT_MAX) { + opj_event_msg(p_manager, EVT_ERROR, + "Image coordinates above INT_MAX are not supported\n"); + return OPJ_FALSE; + } l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, (OPJ_INT32)l_img_comp->dx); diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index be3b843..647991c 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; - l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; - l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, + (OPJ_INT32)l_pdx)) << l_pdx; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_x_end = (OPJ_INT32)tmp; + } + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, + (OPJ_INT32)l_pdy)) << l_pdy; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_y_end = (OPJ_INT32)tmp; + } /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((