Description
in the j2k.c file there is no check on max value of cp->tw or cp-th when the values are set.
cp->tw = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(image->x1 - cp->tx0), (OPJ_INT32)cp->tdx); cp->th = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(image->y1 - cp->ty0), (OPJ_INT32)cp->tdy);
These values are later multiplied and the result is used in an ops_calloc function that does not have a cast before the call. The product of these values are also used to iterate a loop with a loop iterator that is also a 32 bit integer, tileno, which is used to write to the allocated memory.
cp->tcps = (opj_tcp_t*) opj_calloc(cp->tw * cp->th, sizeof(opj_tcp_t)); if (!cp->tcps) { opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to allocate tile coding parameters\n"); return OPJ_FALSE; }
for (tileno = 0; tileno < cp->tw * cp->th; tileno++) {
opj_tcp_t *tcp = &cp->tcps[tileno];`
I was going to cast the calloc call, but it will create an issue in the tileno loop. I would like to add a check for the result of the multiplication or some cap on the maximum value of tw and th like in the struct l_cp as shown below:
/* Compute the number of tiles */ l_cp->tw = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(l_image->x1 - l_cp->tx0), (OPJ_INT32)l_cp->tdx); l_cp->th = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(l_image->y1 - l_cp->ty0), (OPJ_INT32)l_cp->tdy);
/* Check that the number of tiles is valid */
if (l_cp->tw == 0 || l_cp->th == 0 || l_cp->tw > 65535 / l_cp->th) {
opj_event_msg(p_manager, EVT_ERROR,
"Invalid number of tiles : %u x %u (maximum fixed by jpeg2000 norm is 65535 tiles)\n",
l_cp->tw, l_cp->th);
return OPJ_FALSE;
}`