Merge to M44: Fix an integer overflow issue in openJpegchromium/2403

Fixing this issue for an urgent request. It should be fixed in OpenJPEG side. BUG=506763 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1231933008 . (cherry picked from commit d1b0a8d9dc71c67b4ce67f148cebc01d66d1d983) Review URL: https://codereview.chromium.org/1245853002 .
author: Lei Zhang <thestig@chromium.org> 2015-07-20 17:16:04 -0700
committer: Lei Zhang <thestig@chromium.org> 2015-07-20 17:16:04 -0700
commit: 3ecc289ce0d1a639a9b3f6c59d10952269692d04 (patch)
tree: 8e20c10d7a88885db9bed130d20ccd2b655c14dc
parent: 12d0f7b4eae9c2b40433500b15955f61050132aa (diff)
download: pdfium-chromium/2403.tar.xz
1 files changed, 8 insertions, 1 deletions
diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c
index 393a1e5540..d2ba3a14c6 100644
--- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c
+++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c
@@ -36,6 +36,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include <limits.h>
 #include "opj_includes.h"
 
 /** @defgroup PI PI - Implementation of a packet iterator */
@@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
 	l_current_pi = l_pi;
 
 	/* memory allocation for include */
-	l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+	l_current_pi->include = 00;
+	if
+		(l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1)
+	{
+		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16));
+	}
+
 	if
 		(!l_current_pi->include)
 	{
author	Lei Zhang <thestig@chromium.org>	2015-07-20 17:16:04 -0700
committer	Lei Zhang <thestig@chromium.org>	2015-07-20 17:16:04 -0700
commit	3ecc289ce0d1a639a9b3f6c59d10952269692d04 (patch)
tree	8e20c10d7a88885db9bed130d20ccd2b655c14dc
parent	12d0f7b4eae9c2b40433500b15955f61050132aa (diff)
download	pdfium-chromium/2403.tar.xz