Merge pull request #1509 from rouault/fix_sycc420_to_rgb

opj_decompress: fix off-by-one read heap-buffer-overflow in sycc420_to_rgb() when x0 and y0 are odd (CVE-2021-3575, fixes #1347)
uclouvain · Feb 18, 2024 · 89bf51c · 89bf51c
2 parents 0e3b3bd + 7bd884f
commit 89bf51c
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/src/bin/common/color.c b/src/bin/common/color.c
@@ -358,7 +358,15 @@ static void sycc420_to_rgb(opj_image_t *img)
     if (i < loopmaxh) {
         size_t j;
 
-        for (j = 0U; j < (maxw & ~(size_t)1U); j += 2U) {
+        if (offx > 0U) {
+            sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b);
+            ++y;
+            ++r;
+            ++g;
+            ++b;
+        }
+
+        for (j = 0U; j < (loopmaxw & ~(size_t)1U); j += 2U) {
             sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
 
             ++y;
@@ -375,7 +383,7 @@ static void sycc420_to_rgb(opj_image_t *img)
             ++cb;
             ++cr;
         }
-        if (j < maxw) {
+        if (j < loopmaxw) {
             sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b);
         }
     }