Guard against undefined shifting in JPX decoder

If the prec value in syncc444_to_rgb is more then 30 then when we shift left we'll go negative. The subsequent -1 will cause an overflow. This CL early returns if the prec value is > 30. Bug: chromium:728321 Change-Id: I4d25e9bab840bc6d46f8db3490c9484392cd7a32 Reviewed-on: https://pdfium-review.googlesource.com/6414 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
author: Dan Sinclair <dsinclair@chromium.org> 2017-06-08 15:09:35 -0400
committer: Chromium commit bot <commit-bot@chromium.org> 2017-06-08 19:41:04 +0000
commit: 2ddf1ccbf8c0596c0ba994114420a50fca2240f3 (patch)
tree: 8219bc4bca22b75fe34ba1b33d3755339d7d7af2
parent: 0915087c64d64023f503d466b73835c09d0ed3a3 (diff)
download: pdfium-2ddf1ccbf8c0596c0ba994114420a50fca2240f3.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/core/fxcodec/codec/fx_codec_jpx_opj.cpp b/core/fxcodec/codec/fx_codec_jpx_opj.cpp
index 9627025164..74ab5f277d 100644
--- a/core/fxcodec/codec/fx_codec_jpx_opj.cpp
+++ b/core/fxcodec/codec/fx_codec_jpx_opj.cpp
@@ -162,6 +162,9 @@ static void sycc_to_rgb(int offset,
 
 static void sycc444_to_rgb(opj_image_t* img) {
   int prec = img->comps[0].prec;
+  // If we shift 31 we're going to go negative, then things go bad.
+  if (prec > 30)
+    return;
   int offset = 1 << (prec - 1);
   int upb = (1 << prec) - 1;
   OPJ_UINT32 maxw =
author	Dan Sinclair <dsinclair@chromium.org>	2017-06-08 15:09:35 -0400
committer	Chromium commit bot <commit-bot@chromium.org>	2017-06-08 19:41:04 +0000
commit	2ddf1ccbf8c0596c0ba994114420a50fca2240f3 (patch)
tree	8219bc4bca22b75fe34ba1b33d3755339d7d7af2
parent	0915087c64d64023f503d466b73835c09d0ed3a3 (diff)
download	pdfium-2ddf1ccbf8c0596c0ba994114420a50fca2240f3.tar.xz