diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2017-06-08 15:09:35 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-06-08 19:41:04 +0000 |
commit | 2ddf1ccbf8c0596c0ba994114420a50fca2240f3 (patch) | |
tree | 8219bc4bca22b75fe34ba1b33d3755339d7d7af2 | |
parent | 0915087c64d64023f503d466b73835c09d0ed3a3 (diff) | |
download | pdfium-2ddf1ccbf8c0596c0ba994114420a50fca2240f3.tar.xz |
Guard against undefined shifting in JPX decoder
If the prec value in syncc444_to_rgb is more then 30 then when we shift
left we'll go negative. The subsequent -1 will cause an overflow. This
CL early returns if the prec value is > 30.
Bug: chromium:728321
Change-Id: I4d25e9bab840bc6d46f8db3490c9484392cd7a32
Reviewed-on: https://pdfium-review.googlesource.com/6414
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
-rw-r--r-- | core/fxcodec/codec/fx_codec_jpx_opj.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/core/fxcodec/codec/fx_codec_jpx_opj.cpp b/core/fxcodec/codec/fx_codec_jpx_opj.cpp index 9627025164..74ab5f277d 100644 --- a/core/fxcodec/codec/fx_codec_jpx_opj.cpp +++ b/core/fxcodec/codec/fx_codec_jpx_opj.cpp @@ -162,6 +162,9 @@ static void sycc_to_rgb(int offset, static void sycc444_to_rgb(opj_image_t* img) { int prec = img->comps[0].prec; + // If we shift 31 we're going to go negative, then things go bad. + if (prec > 30) + return; int offset = 1 << (prec - 1); int upb = (1 << prec) - 1; OPJ_UINT32 maxw = |