diff -up openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/cio.c
--- openjpeg-1.5.1/libopenjpeg/cio.c.CVE-2013-6052 2012-09-13 02:58:39.000000000 -0500
+++ openjpeg-1.5.1/libopenjpeg/cio.c 2014-01-07 14:43:14.213256439 -0600
@@ -30,6 +30,7 @@
*/
#include "opj_includes.h"
+#include <assert.h>
/* ----------------------------------------------------------------------- */
@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
* Read a byte.
*/
unsigned char cio_bytein(opj_cio_t *cio) {
+ if (cio->bp < cio->start) {
+ opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
+ abort();
+ return 0;
+ }
if (cio->bp >= cio->end) {
opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
return 0;
@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
unsigned int v;
v = 0;
for (i = n - 1; i >= 0; i--) {
- v += cio_bytein(cio) << (i << 3);
+ v += (unsigned int)cio_bytein(cio) << (i << 3);
}
return v;
}
@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
* n : number of bytes to skip
*/
void cio_skip(opj_cio_t *cio, int n) {
+ assert((cio->bp + n) >= cio->bp);
cio->bp += n;
}
diff -up openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 openjpeg-1.5.1/libopenjpeg/jp2.c
--- openjpeg-1.5.1/libopenjpeg/jp2.c.CVE-2013-6052 2014-01-07 14:43:14.201256566 -0600
+++ openjpeg-1.5.1/libopenjpeg/jp2.c 2014-01-07 14:43:14.214256428 -0600
@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
}
else if (box->length == 0) {
box->length = cio_numbytesleft(cio) + 8;
+ } else if (box->length < 0) {
+ opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
+ return OPJ_FALSE;
}
if (box->length < 0) {
opj_event_msg(cinfo, EVT_ERROR, "Integer overflow in box->length\n");