diff options
author | Lei Zhang <thestig@chromium.org> | 2015-07-20 17:16:04 -0700 |
---|---|---|
committer | Lei Zhang <thestig@chromium.org> | 2015-07-20 17:16:04 -0700 |
commit | 3ecc289ce0d1a639a9b3f6c59d10952269692d04 (patch) | |
tree | 8e20c10d7a88885db9bed130d20ccd2b655c14dc | |
parent | 12d0f7b4eae9c2b40433500b15955f61050132aa (diff) | |
download | pdfium-3ecc289ce0d1a639a9b3f6c59d10952269692d04.tar.xz |
Merge to M44: Fix an integer overflow issue in openJpegchromium/2403
Fixing this issue for an urgent request. It should be fixed in OpenJPEG side.
BUG=506763
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1231933008 .
(cherry picked from commit d1b0a8d9dc71c67b4ce67f148cebc01d66d1d983)
Review URL: https://codereview.chromium.org/1245853002 .
-rw-r--r-- | core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c index 393a1e5540..d2ba3a14c6 100644 --- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c +++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/pi.c @@ -36,6 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#include <limits.h> #include "opj_includes.h" /** @defgroup PI PI - Implementation of a packet iterator */ @@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, l_current_pi = l_pi; /* memory allocation for include */ - l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); + l_current_pi->include = 00; + if + (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1) + { + l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16)); + } + if (!l_current_pi->include) { |