diff options
author | dsinclair <dsinclair@chromium.org> | 2016-09-12 14:04:08 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-12 14:04:08 -0700 |
commit | db319ec6a9330e75276b873f6027caddf2a15ec0 (patch) | |
tree | 846a18c97bdd9f2649c7bc868ab37cde591ec3d4 | |
parent | 01b67ed9b441cd485997bc08482def1f2ab265db (diff) | |
download | pdfium-db319ec6a9330e75276b873f6027caddf2a15ec0.tar.xz |
Verify value of prec before using
The fx_codec_jpx_opj code will attempt to do a 1 << (prec - 1). If the prec
value is >=32 then that shift will overflow the int value. This CL adds a check
that prec is < 32 before attempting the shift.
BUG=chromium:633208
Review-Url: https://codereview.chromium.org/2334823002
-rw-r--r-- | core/fxcodec/codec/fx_codec_jpx_opj.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/core/fxcodec/codec/fx_codec_jpx_opj.cpp b/core/fxcodec/codec/fx_codec_jpx_opj.cpp index ed9331974d..a1c38d06e9 100644 --- a/core/fxcodec/codec/fx_codec_jpx_opj.cpp +++ b/core/fxcodec/codec/fx_codec_jpx_opj.cpp @@ -231,6 +231,9 @@ static void sycc422_to_rgb(opj_image_t* img) { return; int prec = img->comps[0].prec; + if (prec <= 0 || prec >= 32) + return; + int offset = 1 << (prec - 1); int upb = (1 << prec) - 1; |