openjpeg2/0018-tcd_get_decoded_tile_size.patch

---
 src/lib/openjp2/j2k.c |    4 ++++
 src/lib/openjp2/tcd.c |   16 ++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

Index: openjpeg-2.1.2/src/lib/openjp2/j2k.c
===================================================================
--- openjpeg-2.1.2.orig/src/lib/openjp2/j2k.c
+++ openjpeg-2.1.2/src/lib/openjp2/j2k.c
@@ -8097,6 +8097,10 @@ OPJ_BOOL opj_j2k_read_tile_header(
         *p_tile_index = p_j2k->m_current_tile_number;
         *p_go_on = OPJ_TRUE;
         *p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
+        if (*p_data_size == (OPJ_UINT32)-1) {
+                return OPJ_FALSE;
+        }
+
         *p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
         *p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
         *p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
Index: openjpeg-2.1.2/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg-2.1.2.orig/src/lib/openjp2/tcd.c
+++ openjpeg-2.1.2/src/lib/openjp2/tcd.c
@@ -1154,6 +1154,7 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size
         opj_tcd_tilecomp_t * l_tile_comp = 00;
         opj_tcd_resolution_t * l_res = 00;
         OPJ_UINT32 l_size_comp, l_remaining;
+        OPJ_UINT32 l_temp;
 
         l_tile_comp = p_tcd->tcd_image->tiles->comps;
         l_img_comp = p_tcd->image->comps;
@@ -1171,7 +1172,18 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size
                 }
 
                 l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;
-                l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0));
+                l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0)); /* x1*y1 can't overflow */
+
+                if (l_size_comp && ((OPJ_UINT32)-1) / l_size_comp < l_temp) {
+                        return (OPJ_UINT32)-1;
+                }
+                l_temp *= l_size_comp;
+
+                if (l_temp > ((OPJ_UINT32)-1) - l_data_size) {
+                        return (OPJ_UINT32)-1;
+                }
+                l_data_size += l_temp;
+
                 ++l_img_comp;
                 ++l_tile_comp;
         }
@@ -1366,7 +1378,7 @@ OPJ_BOOL opj_tcd_update_tile_data ( opj_
         OPJ_UINT32 l_stride, l_width,l_height;
 
         l_data_size = opj_tcd_get_decoded_tile_size(p_tcd);
-        if (l_data_size > p_dest_length) {
+        if (l_data_size == (OPJ_UINT32)-1 || l_data_size > p_dest_length) {
                 return OPJ_FALSE;
         }