Skip to content

Fix possible out-of-bound reads in get_jpx_info

Uli Schlachter requested to merge psychon/cairo:jpx-out-of-bounds into master

Inspired by 1, I looked into the other functions in cairo-image-info.c. This commit fixes the possible out-of-bound reads that I found just by staring at the code.

_jpx_next_box() would happily read beyond the end of the data via get_unaligned_be32(). This commit adds checks that at least for bytes of data are available.

Additionally, I made this function check that its returned pointer is within bounds, just because I found this easier to reason about.

Also, _jpx_extract_info() did not check that it had enough data to read. This is fixed by making the function fallible and giving it information about the end of data.

Signed-off-by: Uli Schlachter psychon@znc.in

Merge request reports