improve reading of JPEG-2000 'cdef' box

libheif/api/libheif/heif.h

@@ -1136,7 +1136,7 @@ struct heif_security_limits {
   uint32_t max_color_profile_size;
   uint64_t max_memory_block_size;
 
-  uint32_t max_uncompressed_components;
+  uint32_t max_components;
 
   uint32_t max_iloc_extents_per_item;
   uint32_t max_size_entity_group;

libheif/codecs/jpeg2000_boxes.cc

@@ -31,14 +31,34 @@ static const uint16_t JPEG2000_SOC_MARKER = 0xFF4F;
 
 Error Box_cdef::parse(BitstreamRange& range, const heif_security_limits* limits)
 {
-  int channel_count = range.read16();
+  uint16_t channel_count = range.read16();
 
-  for (int i = 0; i < channel_count && !range.error() && !range.eof(); i++) {
+  if (limits->max_components && channel_count > limits->max_components) {
+    std::stringstream sstr;
+    sstr << "cdef box wants to define " << channel_count << " JPEG-2000 channels, but the security limit is set to "
+         << limits->max_components << " components";
+    return {heif_error_Invalid_input,
+            heif_suberror_Security_limit_exceeded,
+            sstr.str()};
+  }
+
+  if (channel_count > range.get_remaining_bytes() / 6) {
+    std::stringstream sstr;
+    sstr << "cdef box wants to define " << channel_count << " JPEG-2000 channels, but file only contains "
+         << range.get_remaining_bytes() / 6 << " components";
+    return {heif_error_Invalid_input,
+            heif_suberror_End_of_data,
+            sstr.str()};
+  }
+
+  m_channels.resize(channel_count);
+
+  for (uint16_t i = 0; i < channel_count && !range.error() && !range.eof(); i++) {
     Channel channel;
     channel.channel_index = range.read16();
     channel.channel_type = range.read16();
     channel.channel_association = range.read16();
-    m_channels.push_back(channel);
+    m_channels[i] = channel;
   }
 
   return range.get_error();

libheif/codecs/uncompressed/unc_boxes.cc

@@ -133,10 +133,10 @@ Error Box_cmpd::parse(BitstreamRange& range, const heif_security_limits* limits)
 {
   uint32_t component_count = range.read32();
 
-  if (limits->max_uncompressed_components && component_count > limits->max_uncompressed_components) {
+  if (limits->max_components && component_count > limits->max_components) {
     std::stringstream sstr;
     sstr << "cmpd box should countain " << component_count << " components, but security limit is set to "
-         << limits->max_uncompressed_components << " components";
+         << limits->max_components << " components";
 
     return {heif_error_Invalid_input,
             heif_suberror_Security_limit_exceeded,
@@ -250,10 +250,10 @@ Error Box_uncC::parse(BitstreamRange& range, const heif_security_limits* limits)
 
     uint32_t component_count = range.read32();
 
-    if (limits->max_uncompressed_components && component_count > limits->max_uncompressed_components) {
+    if (limits->max_components && component_count > limits->max_components) {
       std::stringstream sstr;
       sstr << "Number of image components (" << component_count << ") exceeds security limit ("
-           << limits->max_uncompressed_components << ")";
+           << limits->max_components << ")";
 
       return {heif_error_Invalid_input,
               heif_suberror_Security_limit_exceeded,

libheif/context.cc

@@ -122,7 +122,7 @@ static void copy_security_limits(heif_security_limits* dst, const heif_security_
   dst->max_color_profile_size = src->max_color_profile_size;
   dst->max_memory_block_size = src->max_memory_block_size;
 
-  dst->max_uncompressed_components = src->max_uncompressed_components;
+  dst->max_components = src->max_components;
   dst->max_iloc_extents_per_item = src->max_iloc_extents_per_item;
   dst->max_size_entity_group = src->max_size_entity_group;
 

libheif/security_limits.cc

@@ -37,7 +37,7 @@ struct heif_security_limits global_security_limits {
     .max_color_profile_size = 100 * 1024 * 1024, // 100 MB
     .max_memory_block_size = 512 * 1024 * 1024,  // 512 MB
 
-    .max_uncompressed_components = 256,
+    .max_components = 256,
     .max_iloc_extents_per_item = 32,
     .max_size_entity_group = 64,