Merge to M48: openjpeg: Fix potential bad precno value in opj_pi_next* functions.

TBR=thestig@chromium.org BUG=571479 Original Review URL: https://codereview.chromium.org/1585243003 . (cherry picked from commit 0b56371b1e9683676cf191f2d9d41d40d47c3726) Review URL: https://codereview.chromium.org/1667243003 .
author: Oliver Chang <ochang@chromium.org> 2016-02-05 09:33:45 -0800
committer: Oliver Chang <ochang@chromium.org> 2016-02-05 09:33:45 -0800
commit: e6d8b1ad419408bad268ea7b22ab0034240be4f3 (patch)
tree: 07ab79cd7ebf8144d7bc178c938988a21d7e51ed
parent: 7cc20e98504730a361d8589fff382bc9b9b770e9 (diff)
download: pdfium-e6d8b1ad419408bad268ea7b22ab0034240be4f3.tar.xz
2 files changed, 43 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0009-opj_pi_next.patch b/third_party/libopenjpeg20/0009-opj_pi_next.patch
new file mode 100644
index 0000000000..a7701f0d05
--- /dev/null
+++ b/third_party/libopenjpeg20/0009-opj_pi_next.patch
@@ -0,0 +1,34 @@
+diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c
+index 06f1e41..462e07c 100644
+--- a/third_party/libopenjpeg20/pi.c
++++ b/third_party/libopenjpeg20/pi.c
+@@ -377,6 +377,9 @@ if (!pi->tp_on){
+ 					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
+ 						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+ 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
++					if (pi->precno >= res->pw * res->ph) {
++						return OPJ_FALSE;
++					}
+ 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
+ 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ 						if (!pi->include[index]) {
+@@ -458,6 +461,9 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) {
+ 					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
+ 						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+ 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
++					if (pi->precno >= res->pw * res->ph) {
++						return OPJ_FALSE;
++					}
+ 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
+ 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ 						if (!pi->include[index]) {
+@@ -537,6 +543,9 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) {
+ 					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
+ 						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+ 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
++					if (pi->precno >= res->pw * res->ph) {
++						return OPJ_FALSE;
++					}
+ 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
+ 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ 						if (!pi->include[index]) {
diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c
index da954804ee..9097e31a0e 100644
--- a/third_party/libopenjpeg20/pi.c
+++ b/third_party/libopenjpeg20/pi.c
@@ -377,6 +377,9 @@ if (!pi->tp_on){
 					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
 						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
+					if (pi->precno >= res->pw * res->ph) {
+						return OPJ_FALSE;
+					}
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
 						if (!pi->include[index]) {
@@ -458,6 +461,9 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) {
 					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
 						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
+					if (pi->precno >= res->pw * res->ph) {
+						return OPJ_FALSE;
+					}
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
 						if (!pi->include[index]) {
@@ -537,6 +543,9 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) {
 					prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
 						 - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
 					pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
+					if (pi->precno >= res->pw * res->ph) {
+						return OPJ_FALSE;
+					}
 					for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
 						index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
 						if (!pi->include[index]) {
author	Oliver Chang <ochang@chromium.org>	2016-02-05 09:33:45 -0800
committer	Oliver Chang <ochang@chromium.org>	2016-02-05 09:33:45 -0800
commit	e6d8b1ad419408bad268ea7b22ab0034240be4f3 (patch)
tree	07ab79cd7ebf8144d7bc178c938988a21d7e51ed
parent	7cc20e98504730a361d8589fff382bc9b9b770e9 (diff)
download	pdfium-e6d8b1ad419408bad268ea7b22ab0034240be4f3.tar.xz