diff options
| author | Bo Xu <bo_xu@foxitsoftware.com> | 2014-10-03 12:29:54 -0700 |
|---|---|---|
| committer | Bo Xu <bo_xu@foxitsoftware.com> | 2014-10-31 10:11:42 -0700 |
| commit | 0bd0f5e2a5a79d4f81c7bab20a0f8552da4a6b00 (patch) | |
| tree | 2fbc8b775d5c0203208fa833faece8010f90b8c7 | |
| parent | d17613bd0f3b4c900dfe4f9dc60666083cb47253 (diff) | |
| download | pdfium-0bd0f5e2a5a79d4f81c7bab20a0f8552da4a6b00.tar.xz | |
check pointer overflow in t2.c
BUG=413375
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/624023003
| -rw-r--r-- | core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c | 2 | ||||
| -rw-r--r-- | core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c index dd188c1ba7..683d0415cf 100644 --- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c +++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c @@ -1280,7 +1280,7 @@ OPJ_BOOL opj_jp2_read_colr( opj_jp2_t *jp2, } else if (jp2->meth > 2) { - /* ISO/IEC 15444-1:2004 (E), Table I.9 Legal METH values: + /* ISO/IEC 15444-1:2004 (E), Table I.9 Legal METH values: conforming JP2 reader shall ignore the entire Colour Specification box.*/ opj_event_msg(p_manager, EVT_INFO, "COLR BOX meth value is not a regular value (%d), " "so we will ignore the entire Colour Specification box. \n", jp2->meth); diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c index f2a7c9a57c..cdd35e8c22 100644 --- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c +++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c @@ -1132,7 +1132,7 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2, do { /* Check possible overflow (on l_current_data only, assumes input args already checked) then size */ - if (((OPJ_SIZE_T)(l_current_data + l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) { + if ((((OPJ_SIZE_T)l_current_data + (OPJ_SIZE_T)l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) { fprintf(stderr, "read: segment too long (%d) with max (%d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n", l_seg->newlen, p_max_length, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno); return OPJ_FALSE; |