Fix a crashier due to images with abnormal size

BUG=453553
R=thestig@chromium.org, tsepez@chromium.org

Review URL: https://codereview.chromium.org/1093323003

(cherry picked from commit ba920211c9569a38a4494398ac271a32098d81da)

Review URL: https://codereview.chromium.org/1105683004

1 files changed, 10 insertions, 6 deletions

diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c
index f944ad1afb..73dc5ab6fd 100644
--- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c
+++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c
@@ -8008,14 +8008,18 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
         l_img_comp_dest = p_output_image->comps;
 
         for (i=0; i<l_image_src->numcomps; i++) {
-
                 /* Allocate output component buffer if necessary */
                 if (!l_img_comp_dest->data) {
-
-                        l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_img_comp_dest->w * l_img_comp_dest->h, sizeof(OPJ_INT32));
-                        if (! l_img_comp_dest->data) {
-                                return OPJ_FALSE;
-                        }
+                    OPJ_UINT32 width = l_img_comp_dest->w;
+                    OPJ_UINT32 height = l_img_comp_dest->h;
+                    const OPJ_UINT32 MAX_SIZE = UINT32_MAX / sizeof(OPJ_INT32);
+                    if (height == 0 || width > MAX_SIZE / height) {
+                        return OPJ_FALSE;
+                    } 
+                    l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(width * height, sizeof(OPJ_INT32));
+                    if (!l_img_comp_dest->data) {
+                        return OPJ_FALSE;
+                    }
                 }
 
                 /* Copy info from decoded comp image to output image */