From a817136f7edbd0e9d9ce46d1faf15506ed9478a0 Mon Sep 17 00:00:00 2001
From: headshog <craaaaaachind@gmail.com>
Date: Wed, 6 Dec 2023 17:30:29 +0300
Subject: [PATCH] opj_j2k_merge_ppm(): avoid unsigned-integer-overflow at
 j2k.c:3962 (#1490)

---
 src/lib/openjp2/j2k.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 9dbba8f1b..9db1bbd7f 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -3959,9 +3959,12 @@ static OPJ_BOOL opj_j2k_merge_ppm(opj_cp_t *p_cp, opj_event_mgr_t * p_manager)
                     opj_read_bytes(l_data, &l_N_ppm, 4);
                     l_data += 4;
                     l_data_size -= 4;
-                    l_ppm_data_size +=
-                        l_N_ppm; /* can't overflow, max 256 markers of max 65536 bytes, that is when PPM markers are not corrupted which is checked elsewhere */
 
+                    if (l_ppm_data_size > UINT_MAX - l_N_ppm) {
+                        opj_event_msg(p_manager, EVT_ERROR, "Too large value for Nppm\n");
+                        return OPJ_FALSE;
+                    }
+                    l_ppm_data_size += l_N_ppm;
                     if (l_data_size >= l_N_ppm) {
                         l_data_size -= l_N_ppm;
                         l_data += l_N_ppm;