From aeef5293c978158255ad4f127089644745602f2a Mon Sep 17 00:00:00 2001
From: Michael Adams <mdadams@ece.uvic.ca>
Date: Thu, 14 Dec 2023 19:04:19 -0800
Subject: [PATCH] Fixes #367.

Fixed an integer-overflow bug in the ICC profile parsing code.
Added another invalid image to the test set.
---
 data/test/bad/367-PoC.jp2    | Bin 0 -> 2916 bytes
 src/libjasper/base/jas_icc.c |  10 ++++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 data/test/bad/367-PoC.jp2

diff --git a/data/test/bad/367-PoC.jp2 b/data/test/bad/367-PoC.jp2
new file mode 100644
index 0000000000000000000000000000000000000000..96e73789bd0e8983367d447b5084ed739479b0bf
GIT binary patch
literal 2916
zcma)84OCO-8Gdi>O~NqTsa3Gp;YF=QB`k>!NLx|<3?RcS{HVxALvr&Ymn7c&Ac`)<
zt<`NF@u$aQtF2m@o8qRe?pTXetOwoJ8cVg4BZGCV73x;1uCB^l_I?Q@(8JkwZ|?n`
z?|q-|eV_0BzI$%~K(R{CadELP#sa`3i>JZ0%BA5DL%5BJ!`6n~c)QIkVmm%`F>*PD
zK>nu5DToq8Ape!o<q{+uK%K)Q8gx0_@)ebwybC1oIE;ft7-uxOUD<klF<}!fX-6OT
zKLQdJK2(nFAI<(oZ=9KToBTk<pxtS9o9Y0lH2_k<<PtpqvQN<-Q}1yhmOp`bl86Ek
zs|dD+aUQ`nVZ1!VDKq3EhiGL@HlrDFBjVJW5q9ecOf;aM9FugsgBR^4j?_XgIxTjA
z4}1O}_Xy^HgLQ&;IA0R-6z<y6CD^8rx!c47!w}wQGUk^eo{9ELE>8}z&qDk+Z*6%t
z;yD14i578jd6+MGcCD>!8RB@fo9&*$vLX9gM@`96#5h)Rpw_vB#37tZCU-8@5~d^W
zvGIjujZqH`W<D<;aVp{@o3~&nK3(MYl@fa>&RSb;31W;xi>r)9dc=u{H;GOI$%UHf
z1H7OkxiCK6;qvH*G|+txp@ihZ`7$i;4$To`(tRFVSwVO#lkO4AhQ>0L7W?ADA%3Gv
z2<=7G#vByA2BHn)Ggpjaz78?QVeayda#A<M(kW(R9;s~_;w-43jKG5vYVd9X2Rs4}
z44{J?Y+WFt#{zZ`(88maM~j_`gIctW&C`cC;W1H$H8i@9jK(ZubHW+=hd53qfl)E@
z@Op+RW)?7+j21X%A+w0dV)D?cWuA#B(2vl`fff2uX*kYm@M317qXKf86TK;sF<g^a
zZ8rtBeu-+LvvfxN7$-7g)a)Et0dQjlhG(Z7S*MGQZBrs1?izEd>O;lFMp*j4>MQ+J
z+9$n+_bzF7biDM2v>VSZ$i@{ALW=58l|8f)?g&pgY7Xtl^nelXA0y9+T8EX6T2YIm
zIWg)XmEd12xnBZJsZp!yPpZGGuBrB`4ytaC$`Oq?s!H?@`XqgZev3X$zXu$Bj&7&V
z(jD|~>9->>$6otzl*rnL=1Xj3wqzBC^Np-E4+5LRPGx7XdF(XyNwzq`;@AXM%@(jv
zp=WAj-Gr!r)LiVa0&6u~)v<GtC%_KnsKgHS$Q7}wq{0qpz^EgilOd%{5~F4czp-mG
z$zC2-A<LKL$+Cfy&5>zkYFQD%!%v><DfDUao*z*kesUs=Q8VC2u&^qTILgqjBYTyM
z_MvV8b@Lv64SqWSa-FUQ(QdVQIE_k`!DZv8jOPj+rnFSfC<t80<>o}*&5J(XoCf4O
zNX7x&GlafxRD2+6^L!s*!58?>x)QZjdI4J9015M>wiJ9PPJRvGRJzG4`oi&mqTUB^
zTjps(eM*so@1~w$@E*Re<l6xrZ3_km4+MjcUdQ;|0OthcO*ff&3ozjk_==VwqVST0
z5RE7nwR6}`#Mbl#2mdCQgz(6p0#k5l@COji82&Rr9N}YhpOI5k<QFu60!b7lWiWTJ
z3T8~NPx5_^XPXnBHpgGB#dw<aG@kj(I`K3H&G2oYmKbY|X0Othk)}aI6&kQtY;52~
zWue33e3}!S)@seVJYMh^m3b-d)n22>o0YsMI>p)F4V#NoY8pJed-nQNZWzWY)mlxO
zDwX3h(=_~Cl_oaW4CGG`NXmf<?l>nI4}O2(szTBo>&N5bImL#3`t^TVBw=>N@ZtU<
z*C6;AW;H7f1g<76<Qg7s1lGKFOQ&!CxI?|Inxoe7?sqCJ`$(Lm4g0<vZ1=O%i>oKr
z?@*K+erWhe72EXZ+X11sx#dA@piTd+0mXy5qd(fc`YY<ro5trCUHy)^J~91l*RQ7q
z)2p7mkhMhp`A<)_X>ILOUi!o3(<Kx4ADmErq$H<qfiFL6jo;tfyl3#jt)7|5&BtT9
zU!8p-|MyA0%M+Bop4tr{ZCrlvP~Xv*f7}Q(zx=|?8!3AznQ`io4?1>Nyu9!YzeJb0
ztv%3ocYUAwev)51zPe>lQ?E%e{Jb)`^JlSzrlQ>~eepd(oA%x3f2iA(v$$~k^=y;#
z`g5BeewJvJS|1)$)Mb1;-?#Qyf6<1j$=YXcUb(P0P`c?cW5U@cm1<|)+tUU!=T`cP
zSN6Bu+H&`eU%a$&<C&*_vSEiWeNFE=NqupPP;~oW9dVD?*6R5E8Kp-ub??5qdwYD!
z*1BaKD~@-zmd#jMw)K_oWo=eJXiK?1XQ#Ta?XxfbnX5kk<ALT*T^3ayKajlYu`DeX
zy6yb>o5$}@h79*!m8~J6VDq704t(|cnZyU{3ckKsk^Ih0?sEF9qaPH!b^edCEnlZz
zZmc?cg6*Pn3tA@}JG}q>Tc<bQfyKR7FU411IKHhu=DAsW<$T8{bFa4z6eT-LUn$J<
z9e$xq&89wHaqn8DBGG!|Jzev_Yx8!^-yBRhnVa8qsziQg=gQ7qC-(gAlZ5`?1iStN
DxIx@F

literal 0
HcmV?d00001

diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
index f3ffcefe..eb25929d 100644
--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
@@ -1324,12 +1324,22 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval, jas_stream_t *in,
 {
 	jas_icctxt_t *txt = &attrval->data.txt;
 	txt->string = 0;
+	/* The string must at least contain a single null character. */
+	if (cnt < 1) {
+		goto error;
+	}
 	if (!(txt->string = jas_malloc(cnt))) {
 		goto error;
 	}
 	if (jas_stream_read(in, txt->string, cnt) != cnt) {
 		goto error;
 	}
+	/* Ensure that the string is null terminated. */
+	if (txt->string[cnt - 1] != '\0') {
+		goto error;
+	}
+	/* The following line is redundant, unless we do not enforce that
+	  the last character must be null. */
 	txt->string[cnt - 1] = '\0';
 	if (strlen(txt->string) + 1 != cnt) {
 		goto error;