summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Chang <ochang@chromium.org>2016-01-14 11:50:00 -0800
committerOliver Chang <ochang@chromium.org>2016-01-14 11:50:00 -0800
commit0b56371b1e9683676cf191f2d9d41d40d47c3726 (patch)
treecf4295a57ecd0b7c03e758735cd6635f1e45ead4
parent8694bf8ac331d9a94d62d86465d599eee54486d0 (diff)
downloadpdfium-0b56371b1e9683676cf191f2d9d41d40d47c3726.tar.xz
openjpeg: Fix potential bad precno value in opj_pi_next* functions.
R=thestig@chromium.org BUG=571479 Review URL: https://codereview.chromium.org/1585243003 .
-rw-r--r--third_party/libopenjpeg20/0009-opj_pi_next.patch34
-rw-r--r--third_party/libopenjpeg20/README.pdfium1
-rw-r--r--third_party/libopenjpeg20/pi.c9
3 files changed, 44 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0009-opj_pi_next.patch b/third_party/libopenjpeg20/0009-opj_pi_next.patch
new file mode 100644
index 0000000000..a7701f0d05
--- /dev/null
+++ b/third_party/libopenjpeg20/0009-opj_pi_next.patch
@@ -0,0 +1,34 @@
+diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c
+index 06f1e41..462e07c 100644
+--- a/third_party/libopenjpeg20/pi.c
++++ b/third_party/libopenjpeg20/pi.c
+@@ -377,6 +377,9 @@ if (!pi->tp_on){
+ prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
+ - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+ pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
++ if (pi->precno >= res->pw * res->ph) {
++ return OPJ_FALSE;
++ }
+ for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (!pi->include[index]) {
+@@ -458,6 +461,9 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) {
+ prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
+ - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+ pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
++ if (pi->precno >= res->pw * res->ph) {
++ return OPJ_FALSE;
++ }
+ for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (!pi->include[index]) {
+@@ -537,6 +543,9 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) {
+ prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
+ - opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
+ pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
++ if (pi->precno >= res->pw * res->ph) {
++ return OPJ_FALSE;
++ }
+ for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
+ index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
+ if (!pi->include[index]) {
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index cbe052aaac..b5c93f8fe3 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -18,4 +18,5 @@ Local Modifications:
0006-tcd_init_tile.patch: Fix a dividing zero bug in opj_tcd_init_tile().
0007-jp2_read_cmap.patch: Fix wrong rendering on greyscale images with index colorspace.
0008-jp2_check_color.patch: Replace an assertion with returning false.
+0009-opj_pi_next.patch: Fix potential bad precno value in opj_pi_next* functions.
TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c
index 06f1e41157..462e07c836 100644
--- a/third_party/libopenjpeg20/pi.c
+++ b/third_party/libopenjpeg20/pi.c
@@ -377,6 +377,9 @@ if (!pi->tp_on){
prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
- opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
+ if (pi->precno >= res->pw * res->ph) {
+ return OPJ_FALSE;
+ }
for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
if (!pi->include[index]) {
@@ -458,6 +461,9 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) {
prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
- opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
+ if (pi->precno >= res->pw * res->ph) {
+ return OPJ_FALSE;
+ }
for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
if (!pi->include[index]) {
@@ -537,6 +543,9 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) {
prcj = opj_int_floordivpow2(opj_int_ceildiv(pi->y, (OPJ_INT32)(comp->dy << levelno)), (OPJ_INT32)res->pdy)
- opj_int_floordivpow2(try0, (OPJ_INT32)res->pdy);
pi->precno = (OPJ_UINT32)(prci + prcj * (OPJ_INT32)res->pw);
+ if (pi->precno >= res->pw * res->ph) {
+ return OPJ_FALSE;
+ }
for (pi->layno = pi->poc.layno0; pi->layno < pi->poc.layno1; pi->layno++) {
index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * pi->step_c + pi->precno * pi->step_p;
if (!pi->include[index]) {