Backport 940100c28ae28931722290794889cf84a92c5f6f from libopenjpeg20
Original commit message:
> Fix potential use-after-free in opj_j2k_write_mco function
>
> Fixes #563
FPIIM-794
Bug: 35443562
Change-Id: Ie46b9904a9d7bfb794c90c16e700cdede2a9dac4
(cherry picked from commit 76dddd89a6ff9b6104c408aac391f1877b173140)
diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c
index e545819..f5a1b62 100644
--- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c
+++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c
@@ -5620,8 +5620,7 @@
assert(p_stream != 00);
l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]);
- l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
-
+
l_mco_size = 5 + l_tcp->m_nb_mcc_records;
if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) {
@@ -5636,6 +5635,8 @@
p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data;
p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size;
}
+ l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data;
+
opj_write_bytes(l_current_data,J2K_MS_MCO,2); /* MCO */
l_current_data += 2;
@@ -5647,10 +5648,9 @@
++l_current_data;
l_mcc_record = l_tcp->m_mcc_records;
- for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
+ for (i=0;i<l_tcp->m_nb_mcc_records;++i) {
opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/
++l_current_data;
-
++l_mcc_record;
}