1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
From 98592ee6d6904f1b48e8207238779b89a63befa2 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 25 Nov 2024 23:11:24 +0100
Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 *
width_component_1_or_2 + 1 == with_component_0
Fixes #1563
Also adjusts sycc420_to_rgb() for potential similar issue (amending
commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf)
---
src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++----------
1 file changed, 32 insertions(+), 10 deletions(-)
Index: openjpeg2-2.5.0/src/bin/common/color.c
===================================================================
--- openjpeg2-2.5.0.orig/src/bin/common/color.c
+++ openjpeg2-2.5.0/src/bin/common/color.c
@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *
{
int *d0, *d1, *d2, *r, *g, *b;
const int *y, *cb, *cr;
- size_t maxw, maxh, max, offx, loopmaxw;
+ size_t maxw, maxh, max, offx, loopmaxw, comp12w;
int offset, upb;
size_t i;
@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *
upb = (1 << upb) - 1;
maxw = (size_t)img->comps[0].w;
+ comp12w = (size_t)img->comps[1].w;
maxh = (size_t)img->comps[0].h;
max = maxw * maxh;
@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *
++cr;
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
++y;
++r;
++g;
++b;
- ++cb;
- ++cr;
+ if (j / 2 < comp12w) {
+ ++cb;
+ ++cr;
+ }
}
}
@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *
{
int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb;
const int *y, *cb, *cr, *ny;
- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh;
+ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w;
int offset, upb;
size_t i;
@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *
upb = (1 << upb) - 1;
maxw = (size_t)img->comps[0].w;
+ comp12w = (size_t)img->comps[1].w;
maxh = (size_t)img->comps[0].h;
max = maxw * maxh;
@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *
++cr;
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
++y;
++r;
++g;
++b;
- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb);
+ } else {
+ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb);
+ }
++ny;
++nr;
++ng;
++nb;
- ++cb;
- ++cr;
+ if (j / 2 < comp12w) {
+ ++cb;
+ ++cr;
+ }
}
y += maxw;
r += maxw;
@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *
++cr;
}
if (j < loopmaxw) {
- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ if (j / 2 == comp12w) {
+ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+ } else {
+ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
+ }
}
}
|
