xuewend / openjpeg

Automatically exported from code.google.com/p/openjpeg
Other
0 stars 0 forks source link

mj2: Array overflow #485

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
In mj2.c the mj2_write_urn() function writes four 32bit words to the urn name 
field:

  cio_write(cio, tk->urn[urn_num].name[0], 4);
  cio_write(cio, tk->urn[urn_num].name[1], 4);
  cio_write(cio, tk->urn[urn_num].name[2], 4);
  cio_write(cio, tk->urn[urn_num].name[3], 4);

However, in mj2.h this array is defined as being two words long:

typedef struct mj2_urn {
  int name[2];
  int location[4];
} mj2_urn_t;

It will therefore overwrite location with name info, which is in turn 
overwritten by location info.

Original issue reported on code.google.com by per.math...@gmail.com on 11 Apr 2015 at 11:06