We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There are two missing checks for length in function t2_encode_packet in src/lib/openmj2/t2.c . (see #992 )
167 /* <SOP 0xff91> */ 168 if (tcp->csty & J2K_CP_CSTY_SOP) { 169 c[0] = 255; 170 c[1] = 145; 171 c[2] = 0; 172 c[3] = 4; 173 c[4] = (unsigned char)((tile->packno % 65536) / 256); 174 c[5] = (unsigned char)((tile->packno % 65536) % 256); 175 c += 6; 176 } 177 /* </SOP> */ ... 273 /* <EPH 0xff92> */ 274 if (tcp->csty & J2K_CP_CSTY_EPH) { 275 c[0] = 255; 276 c[1] = 146; 277 c += 2; 278 } 279 /* </EPH> */
Below is the proposal patch for t2_encode_packet function.
167 /* <SOP 0xff91> */ 168 if (tcp->csty & J2K_CP_CSTY_SOP) { + if (length < 6) { + if (p_t2_mode == FINAL_PASS) { + opj_event_msg(p_manager, EVT_ERROR, + "opj_t2_encode_packet(): only %u bytes remaining in " + "output buffer. %u needed.\n", + length, 6); + } + return OPJ_FALSE; + } 169 c[0] = 255; 170 c[1] = 145; 171 c[2] = 0; 172 c[3] = 4; 173 c[4] = (unsigned char)((tile->packno % 65536) / 256); 174 c[5] = (unsigned char)((tile->packno % 65536) % 256); 175 c += 6; 176 } 177 /* </SOP> */ ... 273 /* <EPH 0xff92> */ 274 if (tcp->csty & J2K_CP_CSTY_EPH) { + if (length < 2) { + if (p_t2_mode == FINAL_PASS) { + opj_event_msg(p_manager, EVT_ERROR, + "opj_t2_encode_packet(): only %u bytes remaining in " + "output buffer. %u needed.\n", + length, 2); + } + return OPJ_FALSE; + } 275 c[0] = 255; 276 c[1] = 146; 277 c += 2; 278 } 279 /* </EPH> */
The text was updated successfully, but these errors were encountered:
Do you plan to address this vulnerability? Note that CVE-2018-16376 was assigned.
Sorry, something went wrong.
No branches or pull requests
There are two missing checks for length in function t2_encode_packet in src/lib/openmj2/t2.c . (see #992 )
Below is the proposal patch for t2_encode_packet function.
The text was updated successfully, but these errors were encountered: