Closed
Description
On method opj_t1_decode_cblk from t1.c, line 1808, we have:
bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps);
bpno_plus_one may only decrease throughout the method. It is used as a bit position in the methods called in opj_t1_decode_cblk. For example, in line 1903:
opj_t1_dec_clnpass_generic(t1, bpno_plus_one, (OPJ_INT32)cblksty);
leads to line 1200:
one = 1 << bpno;
I think we can add the following after line 1808:
if (bpno_plus_one > 30) { return OPJ_FALSE; }
This fixes undefined shifts that may be caused when the value is too large, and makes sense as it is a bit position. I can share a sample where UBSAN is complaining on request.