Fix bug #512: Crash when reading corrupted Jpeg2000 files

pierreldff · malaterre · commit 14825ceb1cb6 · 2026-02-24T21:19:04.000+01:00
Prevent overlay extraction in case of malformed overlay or image information.

Add warning to prevent user
diff --git a/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx b/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
@@ -1423,6 +1423,8 @@ bool JPEG2000Codec::GetHeaderInfo(const char * dummy_buffer, size_t buf_size, Tr
   opj_stream_t *cio = nullptr;
   opj_image_t *image = nullptr;
   const unsigned char *src = (const unsigned char*)dummy_buffer;
+  if(!src)
+	  return false ;
   size_t file_length = buf_size;
 
   /* set decoding parameters to default values */
diff --git a/Source/MediaStorageAndFileFormat/gdcmOverlay.h b/Source/MediaStorageAndFileFormat/gdcmOverlay.h
@@ -93,7 +93,12 @@ class GDCM_EXPORT Overlay : public Object
 
   /// set overlay from byte array + length
   void SetOverlay(const char *array, size_t length);
-  ///
+
+  /// \warning Before calling this method, you must verify the consistency
+  /// between the image metadata (Image PixelFormat, Rows, Columns) and the
+  /// overlay parameters. This pre-verification is required to ensure that the
+  /// bit-depth is compatible and that the overlay data fits within the
+  /// allocated pixel storage.
   bool GrabOverlayFromPixelData(DataSet const &ds);
 
   /// Return the Overlay Data as ByteValue:
diff --git a/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx b/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
@@ -546,7 +546,44 @@ static bool DoOverlays(const DataSet& ds, Pixmap& pixeldata)
           {
           gdcmWarningMacro( "Bits Allocated are wrong. Correcting." );
           ov.SetBitsAllocated( pixeldata.GetPixelFormat().GetBitsAllocated() );
-          }
+        }
+        const DataElement &pixeldataDe = ds.GetDataElement(Tag(0x7fe0, 0x0010));
+        const ByteValue *bv = pixeldataDe.GetByteValue();
+        if (!bv) {
+          gdcmWarningMacro(
+              "Could not extract overlay from encapsulated stream.");
+          continue;
+        }
+        unsigned long computedFramePixelsNb =
+            pixeldata.GetDimension(0) * pixeldata.GetDimension(1);
+
+        if (pixeldata.GetPixelFormat().GetPixelSize() == 0 ||
+            computedFramePixelsNb >
+                bv->GetLength() / pixeldata.GetPixelFormat().GetPixelSize()) {
+          gdcmWarningMacro("Image information is not persistent. Can't extract overlay #"
+              << idxoverlays);
+          continue;
+        }
+        signed short ovOriginY = ov.GetOrigin()[0];
+        signed short ovOriginX = ov.GetOrigin()[1];
+        long startPixel =
+            (ovOriginX - 1) + (ovOriginY - 1) * pixeldata.GetDimension(0);
+        if (startPixel < 0 ||
+            (unsigned long)startPixel >= computedFramePixelsNb) {
+          gdcmWarningMacro(
+              "Origin is not in image buffer. Can't extract overlay #"
+              << idxoverlays);
+          continue;
+        }
+        unsigned long lastPixelAccessed =
+            (unsigned long)startPixel +
+            (ov.GetRows() - 1) * pixeldata.GetDimension(0) +
+            (ov.GetColumns() - 1);
+        if (lastPixelAccessed >= computedFramePixelsNb) {
+          gdcmWarningMacro("Overlay not fit image buffer. Can't extract overlay "
+                           << idxoverlays);
+          continue;
+        }
 
         if( !ov.GrabOverlayFromPixelData(ds) )
           {
