File openjpeg2-CVE-2016-4797.patch of Package openjpeg2.36921

Index: openjpeg-2.1.0/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg-2.1.0.orig/src/lib/openjp2/tcd.c
+++ openjpeg-2.1.0/src/lib/openjp2/tcd.c
@@ -691,8 +691,12 @@ OPJ_BOOL FUNCTION (     opj_tcd_t *p_tcd
                 l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy);                                                                                                                                          \
                 /*fprintf(stderr, "\tTile compo border = %d,%d,%d,%d\n", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/                                                                                     \
                                                                     \
-                l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0)           \
-                * (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0) * (OPJ_UINT32)sizeof(OPJ_UINT32 );\
+                l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0);           \
+                if ((l_data_size > 0U) && ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0))) { \
+                        fprintf (stderr, "Size of data exceeds system limits\n"); \
+                        return OPJ_FALSE; \
+		} \
+                l_data_size *= (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0) * (OPJ_UINT32)sizeof(OPJ_UINT32 );\
                 l_tilec->numresolutions = l_tccp->numresolutions;   \
                 if (l_tccp->numresolutions < l_cp->m_specific_param.m_dec.m_reduce) {                                                                                                                             \
                         l_tilec->minimum_num_resolutions = 1;       \
Places

File openjpeg2-CVE-2016-4797.patch of Package openjpeg2.36921

Places
