22 lines
1.2 KiB
Diff
22 lines
1.2 KiB
Diff
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
|
index 0de088d..6310c08 100644
|
|
--- a/src/jp2image.cpp
|
|
+++ b/src/jp2image.cpp
|
|
@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
|
|
DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
|
|
int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
|
|
int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
|
|
+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
|
|
Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
|
|
int32_t length = getLong((byte*)&pBox->length, bigEndian);
|
|
+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
|
|
int32_t count = sizeof (Jp2BoxHeader);
|
|
char* p = (char*) boxBuf.pData_;
|
|
bool bWroteColor = false ;
|
|
|
|
while ( count < length || !bWroteColor ) {
|
|
+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
|
|
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
|
|
|
|
// copy data. pointer could be into a memory mapped file which we will decode!
|