summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-07-13 06:34:20 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-07-13 06:38:16 -0700
commit83ad95c4e0b220a37af078e7e4e45b199052bf2e (patch)
treefaf92b975c09a1ec4fd0d4dc4c5b73560b44da74
parent01f9dfbc16da03aa4d29338aabd0ca4403234776 (diff)
downloadpdfium-83ad95c4e0b220a37af078e7e4e45b199052bf2e.tar.xz
Merge to XFA: Fix an integer overflow issue in openJpeg
Fixing this issue for an urgent request. It should be fixed in OpenJPEG side. BUG=506763 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1231933008 .
-rw-r--r--third_party/libopenjpeg20/pi.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c
index 393a1e5540..d2ba3a14c6 100644
--- a/third_party/libopenjpeg20/pi.c
+++ b/third_party/libopenjpeg20/pi.c
@@ -36,6 +36,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+#include <limits.h>
#include "opj_includes.h"
/** @defgroup PI PI - Implementation of a packet iterator */
@@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
l_current_pi = l_pi;
/* memory allocation for include */
- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+ l_current_pi->include = 00;
+ if
+ (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1)
+ {
+ l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16));
+ }
+
if
(!l_current_pi->include)
{