Bounds check before fixed-size memcmp() in CJPX_Decoder::Init().

core/src/fxcodec/codec/fx_codec_jpx_opj.cpp

Index: core/src/fxcodec/codec/fx_codec_jpx_opj.cpp
diff --git a/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp b/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp
index 4494244410854eb4f86c30fc547747d932191ce4..7fc788598ec9993d37faa27f2241a38352fe21ba 100644
--- a/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp
+++ b/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp
@@ -8,6 +8,10 @@
 #include "codec_int.h"
 #include "../fx_libopenjpeg/libopenjpeg20/openjpeg.h"
 #include "../lcms2/include/fx_lcms2.h"
+namespace {
+const char ExpectedJP2Header[] = "\x00\x00\x00\x0c\x6a\x50\x20\x20\x0d\x0a\x87\x0a";
+const size_t ExpectedJP2HeaderSize = sizeof(ExpectedJP2Header) - 1;

[jun_fang, 2014/08/26 22:09:15]

are you sure that it needs to subtract 1 (-1)? sizeof(array) indicates the
actual length of an array.

+}  // namespace
 static void fx_error_callback(const char *msg, void *client_data)
 {
     (void)client_data;
@@ -581,7 +585,9 @@ CJPX_Decoder::~CJPX_Decoder()
 }
 FX_BOOL CJPX_Decoder::Init(const unsigned char* src_data, int src_size)
 {
-    opj_dparameters_t parameters;
+    if (!src_data || src_size < ExpectedJP2HeaderSize) {
+        return FALSE;
+    }
     image = NULL;
     m_SrcData = src_data;
     m_SrcSize = src_size;
@@ -593,10 +599,11 @@ FX_BOOL CJPX_Decoder::Init(const unsigned char* src_data, int src_size)
     if (l_stream == NULL) {
         return FALSE;
     }
+    opj_dparameters_t parameters;
     opj_set_default_decoder_parameters(&parameters);
     parameters.decod_format = 0;
     parameters.cod_format = 3;
-    if(FXSYS_memcmp32(m_SrcData, "\x00\x00\x00\x0c\x6a\x50\x20\x20\x0d\x0a\x87\x0a", 12) == 0) {
+    if(FXSYS_memcmp32(m_SrcData, ExpectedJP2Header, ExpectedJP2HeaderSize) == 0) {
         l_codec = opj_create_decompress(OPJ_CODEC_JP2);
         parameters.decod_format = 1;
     } else {