The value of m_sot_length is assigned/changed in multiple locations without
sufficient sanity checks.
E.g. at one point it's assigned |l_tot_len - 12| where l_tot_len is a 32-bit
unsigned integer read from the file itself (and thus untrusted) and at another
point |l_marker_size + 2| is subtracted from it where l_marker_size is an
untrusted 16-bit unsigned integer.
This can eventually lead to a write AV as reported at
https://code.google.com/p/sumatrapdf/issues/detail?id=2591 (the extracted JP2
stream has been attached).
Original issue reported on code.google.com by zeniko on 15 May 2014 at 8:28
Original issue reported on code.google.com by
zeniko
on 15 May 2014 at 8:28Attachments: