Skip to content

Commit

Permalink
Fix heap-buffer-overflow in color_esycc_to_rgb
Browse files Browse the repository at this point in the history
When all components do not have the same dx/dy, components buffer are
read beyond their end.
Do not convert in this case.

Update #725
  • Loading branch information
mayeut committed Apr 25, 2016
1 parent c559c62 commit 4d149b5
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion src/bin/common/color.c
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,14 @@ void color_esycc_to_rgb(opj_image_t *image)
int flip_value = (1 << (image->comps[0].prec-1));
int max_value = (1 << image->comps[0].prec) - 1;

if(image->numcomps < 3) return;
if (
(image->numcomps < 3)
|| (image->comps[0].dx != image->comps[1].dx) || (image->comps[0].dx != image->comps[2].dx)
|| (image->comps[0].dy != image->comps[1].dy) || (image->comps[0].dy != image->comps[2].dy)
) {
fprintf(stderr,"%s:%d:color_esycc_to_rgb\n\tCAN NOT CONVERT\n", __FILE__,__LINE__);
return;
}

w = image->comps[0].w;
h = image->comps[0].h;
Expand Down

0 comments on commit 4d149b5

Please sign in to comment.