diff options
| author | Nicolas Pena <npm@chromium.org> | 2018-01-10 16:45:17 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-01-10 16:45:17 +0000 |
| commit | a408ac86ecad7086b3af6aa04d994cc4da16f52d (patch) | |
| tree | 0d9d69a4957b2046d5f3fe930269aecfc8527529 | |
| parent | 93cfa060aa6324b2a79f25782e3c986750479ac5 (diff) | |
| download | pdfium-a408ac86ecad7086b3af6aa04d994cc4da16f52d.tar.xz | |
[OpenJPEG] Fix integer overflow
Bug: 796812
Change-Id: I857f037028ea0e74544bdc7c8cd26b4b44e64ec4
Reviewed-on: https://pdfium-review.googlesource.com/22610
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
| -rw-r--r-- | third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch | 49 | ||||
| -rw-r--r-- | third_party/libopenjpeg20/README.pdfium | 1 | ||||
| -rw-r--r-- | third_party/libopenjpeg20/j2k.c | 26 |
3 files changed, 62 insertions, 14 deletions
diff --git a/third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch b/third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch new file mode 100644 index 0000000000..b918c0586e --- /dev/null +++ b/third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch @@ -0,0 +1,49 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index 784a0620a..cea614709 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -9223,32 +9223,30 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, + + l_img_comp = p_image->comps; + for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { +- OPJ_INT32 l_h, l_w; +- + l_img_comp->x0 = opj_uint_ceildiv(p_image->x0, l_img_comp->dx); + l_img_comp->y0 = opj_uint_ceildiv(p_image->y0, l_img_comp->dy); + l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx); + l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy); + +- l_w = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor) +- - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); +- if (l_w < 0) { ++ OPJ_INT32 l_1 = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor); ++ OPJ_INT32 l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); ++ if (l_1 < l_2) { + opj_event_msg(p_manager, EVT_ERROR, +- "Size x of the decoded component image is incorrect (comp[%d].w=%d).\n", +- it_comp, l_w); ++ "Size x of the decoded component image is incorrect (comp[%d].w<0).\n", ++ it_comp); + return OPJ_FALSE; + } +- l_img_comp->w = (OPJ_UINT32)l_w; ++ l_img_comp->w = (OPJ_UINT32)(l_1-l_2); + +- l_h = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor) +- - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); +- if (l_h < 0) { ++ l_1 = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor); ++ l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); ++ if (l_1 < l_2) { + opj_event_msg(p_manager, EVT_ERROR, +- "Size y of the decoded component image is incorrect (comp[%d].h=%d).\n", +- it_comp, l_h); ++ "Size y of the decoded component image is incorrect (comp[%d].h<0).\n", ++ it_comp); + return OPJ_FALSE; + } +- l_img_comp->h = (OPJ_UINT32)l_h; ++ l_img_comp->h = (OPJ_UINT32)(l_1-l_2); + + l_img_comp++; + } diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index b098bf6b73..1805000634 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -27,3 +27,4 @@ Local Modifications: 0026-use_opj_uint_ceildiv.patch: Remove (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b). 0033-undefined-shift-opj_t1_dec_clnpass.patch: fix undefined shifts originated from opj_t1_decode_cblk. 0034-opj_malloc.patch: PDFium changes in opj_malloc. +0035-opj_j2k_update_image_dimensions.patch: fix integer overflow. diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c index 784a0620a5..cea6147096 100644 --- a/third_party/libopenjpeg20/j2k.c +++ b/third_party/libopenjpeg20/j2k.c @@ -9223,32 +9223,30 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, l_img_comp = p_image->comps; for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { - OPJ_INT32 l_h, l_w; - l_img_comp->x0 = opj_uint_ceildiv(p_image->x0, l_img_comp->dx); l_img_comp->y0 = opj_uint_ceildiv(p_image->y0, l_img_comp->dy); l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx); l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy); - l_w = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor) - - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); - if (l_w < 0) { + OPJ_INT32 l_1 = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor); + OPJ_INT32 l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); + if (l_1 < l_2) { opj_event_msg(p_manager, EVT_ERROR, - "Size x of the decoded component image is incorrect (comp[%d].w=%d).\n", - it_comp, l_w); + "Size x of the decoded component image is incorrect (comp[%d].w<0).\n", + it_comp); return OPJ_FALSE; } - l_img_comp->w = (OPJ_UINT32)l_w; + l_img_comp->w = (OPJ_UINT32)(l_1-l_2); - l_h = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor) - - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); - if (l_h < 0) { + l_1 = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor); + l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); + if (l_1 < l_2) { opj_event_msg(p_manager, EVT_ERROR, - "Size y of the decoded component image is incorrect (comp[%d].h=%d).\n", - it_comp, l_h); + "Size y of the decoded component image is incorrect (comp[%d].h<0).\n", + it_comp); return OPJ_FALSE; } - l_img_comp->h = (OPJ_UINT32)l_h; + l_img_comp->h = (OPJ_UINT32)(l_1-l_2); l_img_comp++; } |