openjpeg: Fix crash in opj_jp2_apply_pclr

R=tsepez@chromium.org, antonin@gmail.com, mathieu.malaterre@gmail.com BUG=554172 Review URL: https://codereview.chromium.org/1492693003 .
author: Oliver Chang <ochang@chromium.org> 2015-12-14 15:07:26 -0800
committer: Oliver Chang <ochang@chromium.org> 2015-12-14 15:07:26 -0800
commit: 3026f26aa69e983837d05a5477fe22e79aed0d26 (patch)
tree: 1b45a6f0f58fd74b50f2875e93b98cfc1f09dbbc
parent: 1eb7477b3e7c5cb7c54ca364810ab9a24acad4f9 (diff)
download: pdfium-3026f26aa69e983837d05a5477fe22e79aed0d26.tar.xz
3 files changed, 57 insertions, 7 deletions
diff --git a/third_party/libopenjpeg20/0005-jp2_apply_pclr.patch b/third_party/libopenjpeg20/0005-jp2_apply_pclr.patch
new file mode 100644
index 0000000000..fd3ca634ca
--- /dev/null
+++ b/third_party/libopenjpeg20/0005-jp2_apply_pclr.patch
@@ -0,0 +1,49 @@
+diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c
+index 47f83a1..6e910a9 100644
+--- a/third_party/libopenjpeg20/jp2.c
++++ b/third_party/libopenjpeg20/jp2.c
+@@ -902,7 +902,7 @@ static OPJ_BOOL opj_jp2_check_color(opj_image_t *image, opj_jp2_color_t *color,
+ 				opj_event_msg(p_manager, EVT_ERROR, "Invalid component/palette index for direct mapping %d.\n", pcol);
+ 				is_sane = OPJ_FALSE;
+ 			}
+-			else if (pcol_usage[pcol] && cmap[i].mtyp == 1) {
++			else if (pcol_usage[pcol] && cmap[i].mtyp != 0) {
+ 				opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol);
+ 				is_sane = OPJ_FALSE;
+ 			}
+@@ -982,8 +982,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color)
+       assert( pcol == 0 );
+       new_comps[i] = old_comps[cmp];
+     } else {
+-      assert( i == pcol );
+-      new_comps[pcol] = old_comps[cmp];
++      assert( i == pcol ); // probably wrong?
++      new_comps[i] = old_comps[cmp];
+     }
+ 
+ 		/* Palette mapping: */
+@@ -1007,11 +1007,11 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color)
+ 		cmp = cmap[i].cmp; pcol = cmap[i].pcol;
+ 		src = old_comps[cmp].data;
+     assert( src );
+-		max = new_comps[pcol].w * new_comps[pcol].h;
++		max = new_comps[i].w * new_comps[i].h;
+ 
+ 		/* Direct use: */
+     if(cmap[i].mtyp == 0) {
+-      assert( cmp == 0 );
++      assert( cmp == 0 ); // probably wrong.
+       dst = new_comps[i].data;
+       assert( dst );
+       for(j = 0; j < max; ++j) {
+@@ -1019,8 +1019,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color)
+       }
+     }
+     else {
+-      assert( i == pcol );
+-      dst = new_comps[pcol].data;
++      assert( i == pcol ); // probably wrong?
++      dst = new_comps[i].data;
+       assert( dst );
+       for(j = 0; j < max; ++j) {
+         /* The index */
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 728c0d8b99..67f2f6e500 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -14,4 +14,5 @@ Local Modifications:
 0002-packet-iterator.patch: Fix integer overflow in opj_pi_create_decode().
 0003-dwt-decode.patch: Check array bounds for opj_dwt_decode_1() and friends.
 0004-j2k_read_mcc.patch: Move incrementing of l_tcp->m_nb_mcc_records to the right place.
+0005-jp2_apply_pclr.patch: Fix out of bounds access.
 TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c
index 47f83a1abc..6e910a911a 100644
--- a/third_party/libopenjpeg20/jp2.c
+++ b/third_party/libopenjpeg20/jp2.c
@@ -902,7 +902,7 @@ static OPJ_BOOL opj_jp2_check_color(opj_image_t *image, opj_jp2_color_t *color,
 				opj_event_msg(p_manager, EVT_ERROR, "Invalid component/palette index for direct mapping %d.\n", pcol);
 				is_sane = OPJ_FALSE;
 			}
-			else if (pcol_usage[pcol] && cmap[i].mtyp == 1) {
+			else if (pcol_usage[pcol] && cmap[i].mtyp != 0) {
 				opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol);
 				is_sane = OPJ_FALSE;
 			}
@@ -982,8 +982,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color)
       assert( pcol == 0 );
       new_comps[i] = old_comps[cmp];
     } else {
-      assert( i == pcol );
-      new_comps[pcol] = old_comps[cmp];
+      assert( i == pcol ); // probably wrong?
+      new_comps[i] = old_comps[cmp];
     }
 
 		/* Palette mapping: */
@@ -1007,11 +1007,11 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color)
 		cmp = cmap[i].cmp; pcol = cmap[i].pcol;
 		src = old_comps[cmp].data;
     assert( src );
-		max = new_comps[pcol].w * new_comps[pcol].h;
+		max = new_comps[i].w * new_comps[i].h;
 
 		/* Direct use: */
     if(cmap[i].mtyp == 0) {
-      assert( cmp == 0 );
+      assert( cmp == 0 ); // probably wrong.
       dst = new_comps[i].data;
       assert( dst );
       for(j = 0; j < max; ++j) {
@@ -1019,8 +1019,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color)
       }
     }
     else {
-      assert( i == pcol );
-      dst = new_comps[pcol].data;
+      assert( i == pcol ); // probably wrong?
+      dst = new_comps[i].data;
       assert( dst );
       for(j = 0; j < max; ++j) {
         /* The index */
author	Oliver Chang <ochang@chromium.org>	2015-12-14 15:07:26 -0800
committer	Oliver Chang <ochang@chromium.org>	2015-12-14 15:07:26 -0800
commit	3026f26aa69e983837d05a5477fe22e79aed0d26 (patch)
tree	1b45a6f0f58fd74b50f2875e93b98cfc1f09dbbc
parent	1eb7477b3e7c5cb7c54ca364810ab9a24acad4f9 (diff)
download	pdfium-3026f26aa69e983837d05a5477fe22e79aed0d26.tar.xz