summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJun Fang <jun_fang@foxitsoftware.com>2015-12-15 12:01:06 +0800
committerJun Fang <jun_fang@foxitsoftware.com>2015-12-15 12:01:06 +0800
commit7068d0aaf6234adb853518ef26dd602b39e70b3e (patch)
tree3b0c5605fcb28e61a64f64e7080e1aa7e0c50db1
parentd4606455ef9be6f1e242c9fc72821a8c221d4a40 (diff)
downloadpdfium-7068d0aaf6234adb853518ef26dd602b39e70b3e.tar.xz
Merge to XFA: Fix a dividing zero bug in opj_tcd_init_tile()
BUG=541446 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1520203002 . Review URL: https://codereview.chromium.org/1520323004 .
-rw-r--r--third_party/libopenjpeg20/0006-tcd_init_tile.patch16
-rw-r--r--third_party/libopenjpeg20/README.pdfium1
-rw-r--r--third_party/libopenjpeg20/tcd.c5
3 files changed, 21 insertions, 1 deletions
diff --git a/third_party/libopenjpeg20/0006-tcd_init_tile.patch b/third_party/libopenjpeg20/0006-tcd_init_tile.patch
new file mode 100644
index 0000000000..6c00f4096b
--- /dev/null
+++ b/third_party/libopenjpeg20/0006-tcd_init_tile.patch
@@ -0,0 +1,16 @@
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index 2fccff1..aebe9be 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -727,7 +727,10 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ l_tilec->x1 = opj_int_ceildiv(l_tile->x1, (OPJ_INT32)l_image_comp->dx);
+ l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy);
+ /*fprintf(stderr, "\tTile compo border = %d,%d,%d,%d\n", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/
+-
++ if (l_tilec->x0 >= l_tilec->x1 || l_tilec->y0 >= l_tilec->y1) {
++ opj_event_msg(manager, EVT_ERROR, "Invalid tile data\n");
++ return OPJ_FALSE;
++ }
+ /* compute l_data_size with overflow check */
+ l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0);
+ if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) {
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 67f2f6e500..e3d61e891c 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -15,4 +15,5 @@ Local Modifications:
0003-dwt-decode.patch: Check array bounds for opj_dwt_decode_1() and friends.
0004-j2k_read_mcc.patch: Move incrementing of l_tcp->m_nb_mcc_records to the right place.
0005-jp2_apply_pclr.patch: Fix out of bounds access.
+0006-tcd_init_tile.patch: Fix a dividing zero bug in opj_tcd_init_tile().
TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
index 2fccff1c9c..aebe9be96c 100644
--- a/third_party/libopenjpeg20/tcd.c
+++ b/third_party/libopenjpeg20/tcd.c
@@ -727,7 +727,10 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
l_tilec->x1 = opj_int_ceildiv(l_tile->x1, (OPJ_INT32)l_image_comp->dx);
l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy);
/*fprintf(stderr, "\tTile compo border = %d,%d,%d,%d\n", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/
-
+ if (l_tilec->x0 >= l_tilec->x1 || l_tilec->y0 >= l_tilec->y1) {
+ opj_event_msg(manager, EVT_ERROR, "Invalid tile data\n");
+ return OPJ_FALSE;
+ }
/* compute l_data_size with overflow check */
l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0);
if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) {