From 259c3fc7d377686f62e79310c2fad5b642fe4dba Mon Sep 17 00:00:00 2001
From: Nico Weber <thakis@chromium.org>
Date: Mon, 8 Apr 2024 08:20:18 -0400
Subject: [PATCH] LibGfx/JPEG2000: Check tile_part_length ("Psot") validity

---
 Userland/Libraries/LibGfx/ImageFormats/JPEG2000Loader.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/JPEG2000Loader.cpp b/Userland/Libraries/LibGfx/ImageFormats/JPEG2000Loader.cpp
index 2bffd274aac..2d8c77738d0 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/JPEG2000Loader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/JPEG2000Loader.cpp
@@ -249,6 +249,8 @@ static ErrorOr<void> parse_codestream_tile_header(JPEG2000LoadingContext& contex
         tile_bitstream_length = context.codestream_data.size() - context.codestream_cursor - 2;
     } else {
         u32 tile_header_length = context.codestream_cursor - tile_start;
+        if (start_of_tile.tile_part_length < tile_header_length)
+            return Error::from_string_literal("JPEG2000ImageDecoderPlugin: Invalid tile part length");
         tile_bitstream_length = start_of_tile.tile_part_length - tile_header_length;
     }