1*3ac0a46fSAndroid Build Coastguard Workercommit 4da04cd3e88a0280be526e16077c540a45cbbfa8 2*3ac0a46fSAndroid Build Coastguard WorkerAuthor: Aous Naman <[email protected]> 3*3ac0a46fSAndroid Build Coastguard WorkerDate: Fri Aug 12 02:29:40 2022 +1000 4*3ac0a46fSAndroid Build Coastguard Worker 5*3ac0a46fSAndroid Build Coastguard Worker Replace the assert in mel_init to an if statement to address an issue with fuzzing. (#1436) 6*3ac0a46fSAndroid Build Coastguard Worker 7*3ac0a46fSAndroid Build Coastguard Worker Modified the mel_init code to replace the assert statement with an if statement, returning false when an incorrect sequence of bytes are encountered in the MEL segment. Similar code should be added to the main MEL decoding subrountine, but the change is more involved; in any case, an incorrect sequence produces incorrect results, but should not be harmful or cause a crash. 8*3ac0a46fSAndroid Build Coastguard Worker 9*3ac0a46fSAndroid Build Coastguard Workerdiff --git a/src/lib/openjp2/ht_dec.c b/src/lib/openjp2/ht_dec.c 10*3ac0a46fSAndroid Build Coastguard Workerindex a803d1bb..62a6c9e1 100644 11*3ac0a46fSAndroid Build Coastguard Worker--- a/src/lib/openjp2/ht_dec.c 12*3ac0a46fSAndroid Build Coastguard Worker+++ b/src/lib/openjp2/ht_dec.c 13*3ac0a46fSAndroid Build Coastguard Worker@@ -294,7 +294,7 @@ void mel_decode(dec_mel_t *melp) 14*3ac0a46fSAndroid Build Coastguard Worker * @param [in] scup is the length of MEL+VLC segments 15*3ac0a46fSAndroid Build Coastguard Worker */ 16*3ac0a46fSAndroid Build Coastguard Worker static INLINE 17*3ac0a46fSAndroid Build Coastguard Worker-void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup) 18*3ac0a46fSAndroid Build Coastguard Worker+OPJ_BOOL mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup) 19*3ac0a46fSAndroid Build Coastguard Worker { 20*3ac0a46fSAndroid Build Coastguard Worker int num; 21*3ac0a46fSAndroid Build Coastguard Worker int i; 22*3ac0a46fSAndroid Build Coastguard Worker@@ -316,7 +316,9 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup) 23*3ac0a46fSAndroid Build Coastguard Worker OPJ_UINT64 d; 24*3ac0a46fSAndroid Build Coastguard Worker int d_bits; 25*3ac0a46fSAndroid Build Coastguard Worker 26*3ac0a46fSAndroid Build Coastguard Worker- assert(melp->unstuff == OPJ_FALSE || melp->data[0] <= 0x8F); 27*3ac0a46fSAndroid Build Coastguard Worker+ if (melp->unstuff == OPJ_TRUE && melp->data[0] > 0x8F) { 28*3ac0a46fSAndroid Build Coastguard Worker+ return OPJ_FALSE; 29*3ac0a46fSAndroid Build Coastguard Worker+ } 30*3ac0a46fSAndroid Build Coastguard Worker d = (melp->size > 0) ? *melp->data : 0xFF; // if buffer is consumed 31*3ac0a46fSAndroid Build Coastguard Worker // set data to 0xFF 32*3ac0a46fSAndroid Build Coastguard Worker if (melp->size == 1) { 33*3ac0a46fSAndroid Build Coastguard Worker@@ -332,6 +334,7 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup) 34*3ac0a46fSAndroid Build Coastguard Worker } 35*3ac0a46fSAndroid Build Coastguard Worker melp->tmp <<= (64 - melp->bits); //push all the way up so the first bit 36*3ac0a46fSAndroid Build Coastguard Worker // is the MSB 37*3ac0a46fSAndroid Build Coastguard Worker+ return OPJ_TRUE; 38*3ac0a46fSAndroid Build Coastguard Worker } 39*3ac0a46fSAndroid Build Coastguard Worker 40*3ac0a46fSAndroid Build Coastguard Worker //************************************************************************/ 41*3ac0a46fSAndroid Build Coastguard Worker@@ -1374,7 +1377,17 @@ OPJ_BOOL opj_t1_ht_decode_cblk(opj_t1_t *t1, 42*3ac0a46fSAndroid Build Coastguard Worker } 43*3ac0a46fSAndroid Build Coastguard Worker 44*3ac0a46fSAndroid Build Coastguard Worker // init structures 45*3ac0a46fSAndroid Build Coastguard Worker- mel_init(&mel, coded_data, lcup, scup); 46*3ac0a46fSAndroid Build Coastguard Worker+ if (mel_init(&mel, coded_data, lcup, scup) == OPJ_FALSE) { 47*3ac0a46fSAndroid Build Coastguard Worker+ if (p_manager_mutex) { 48*3ac0a46fSAndroid Build Coastguard Worker+ opj_mutex_lock(p_manager_mutex); 49*3ac0a46fSAndroid Build Coastguard Worker+ } 50*3ac0a46fSAndroid Build Coastguard Worker+ opj_event_msg(p_manager, EVT_ERROR, "Malformed HT codeblock. " 51*3ac0a46fSAndroid Build Coastguard Worker+ "Incorrect MEL segment sequence.\n"); 52*3ac0a46fSAndroid Build Coastguard Worker+ if (p_manager_mutex) { 53*3ac0a46fSAndroid Build Coastguard Worker+ opj_mutex_unlock(p_manager_mutex); 54*3ac0a46fSAndroid Build Coastguard Worker+ } 55*3ac0a46fSAndroid Build Coastguard Worker+ return OPJ_FALSE; 56*3ac0a46fSAndroid Build Coastguard Worker+ } 57*3ac0a46fSAndroid Build Coastguard Worker rev_init(&vlc, coded_data, lcup, scup); 58*3ac0a46fSAndroid Build Coastguard Worker frwd_init(&magsgn, coded_data, lcup - scup, 0xFF); 59*3ac0a46fSAndroid Build Coastguard Worker if (num_passes > 1) { // needs to be tested 60