integer underflow may lead to writing garbage

[setharnold]

openjpeg/src/bin/mj2/opj_mj2_extract.c

Line 149 in 06f7d41

fwrite(frame_codestream, sample->sample_size - 8, 1, outfile);

    for (snum = 0; snum < track->num_samples; snum++) {
        sample = &track->sample[snum];
        frame_codestream = (unsigned char*) malloc(sample->sample_size -
                           8); /* Skipping JP2C marker*/    /* XXX underflow causes huge allocation */
        fseek(file, sample->offset + 8, SEEK_SET);
        fread(frame_codestream, sample->sample_size - 8, 1, /* XXX huge read, no error check */
              file); /* Assuming that jp and ftyp markers size do*/

        sprintf(outfilename, "%s_%05d.j2k", argv[2], snum);
        outfile = fopen(outfilename, "wb");
        if (!outfile) {
            fprintf(stderr, "failed to open %s for writing\n", outfilename);
            return 1;
        }
        fwrite(frame_codestream, sample->sample_size - 8, 1, outfile); /* XXX underflow causes huge write */
        fclose(outfile);
        free(frame_codestream);

Hello, I believe the sample->sample_size - 8 calculation in this segment may lead to an integer underflow issue if the sample size is e.g. 4, where a huge amount of memory is allocated, a huge read is attempted (but the fread(3) return value is ignored, so a short read won't be noticed), and then a huge fwrite(3) is attempted with probable garbage values in most of the allocated buffer.

Thanks