Fix m_nb_mct_records calculation in opj_j2k_read_mct

Now we update m_nb_mct_records only when there was a new mct record, and l_mct_data computations all went through. In previous version, the ++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that this is similar to the analoguous in opj_j2k_read_mcc. CL that changed the calculation: https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60 BUG=678461 Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662 Reviewed-on: https://pdfium-review.googlesource.com/2165 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-01-10 16:40:29 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-01-10 22:09:38 +0000
commit: 44bc1f818dd791c2a5a81103be3853093fd934b3 (patch)
tree: 0029aebd34fc0a1af99e65b62b844629b8ccc099
parent: 0cb9b8cb094532ff868314350680d3fb0ca2fe51 (diff)
download: pdfium-44bc1f818dd791c2a5a81103be3853093fd934b3.tar.xz
3 files changed, 40 insertions, 2 deletions
diff --git a/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch
new file mode 100644
index 0000000000..3a40b75189
--- /dev/null
+++ b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch
@@ -0,0 +1,34 @@
+diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
+index 6346c2190..d4dd65827 100644
+--- a/third_party/libopenjpeg20/j2k.c
++++ b/third_party/libopenjpeg20/j2k.c
+@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
+                 ++l_mct_data;
+         }
+ 
++        opj_mct_data_t *new_mct_records = NULL;
++
+         /* NOT FOUND */
+         if (i == l_tcp->m_nb_mct_records) {
+                 if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) {
+-                        opj_mct_data_t *new_mct_records;
+                         l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;
+ 
+                         new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));
+@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
+                 }
+ 
+                 l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
+-                ++l_tcp->m_nb_mct_records;
+         }
+ 
+         if (l_mct_data->m_data) {
+@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
+ 
+         l_mct_data->m_data_size = p_header_size;
+ 
++        if (new_mct_records) {
++                ++l_tcp->m_nb_mct_records;
++        }
+         return OPJ_TRUE;
+ }
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 2c8d93c1d0..283daf609f 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -32,4 +32,5 @@ Local Modifications:
 0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc().
 0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile.
 0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr.
+0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free.
 TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 6346c21907..d4dd65827c 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
                 ++l_mct_data;
         }
 
+        opj_mct_data_t *new_mct_records = NULL;
+
         /* NOT FOUND */
         if (i == l_tcp->m_nb_mct_records) {
                 if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) {
-                        opj_mct_data_t *new_mct_records;
                         l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;
 
                         new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));
@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
                 }
 
                 l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
-                ++l_tcp->m_nb_mct_records;
         }
 
         if (l_mct_data->m_data) {
@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
 
         l_mct_data->m_data_size = p_header_size;
 
+        if (new_mct_records) {
+                ++l_tcp->m_nb_mct_records;
+        }
         return OPJ_TRUE;
 }
author	Nicolas Pena <npm@chromium.org>	2017-01-10 16:40:29 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-01-10 22:09:38 +0000
commit	44bc1f818dd791c2a5a81103be3853093fd934b3 (patch)
tree	0029aebd34fc0a1af99e65b62b844629b8ccc099
parent	0cb9b8cb094532ff868314350680d3fb0ca2fe51 (diff)
download	pdfium-44bc1f818dd791c2a5a81103be3853093fd934b3.tar.xz