summaryrefslogtreecommitdiff
path: root/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch
diff options
context:
space:
mode:
authorochang <ochang@chromium.org>2016-08-08 16:52:28 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-08 16:52:28 -0700
commitb6befb2ed2485a3805cddea86dc7574510178ea9 (patch)
treebf4123a6e9841da3ff11d1fabcf1e6fd170a7c70 /third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch
parent1c836753bb86b3eb0e130f1d92868a273bb26ab8 (diff)
downloadpdfium-b6befb2ed2485a3805cddea86dc7574510178ea9.tar.xz
openjpeg: Prevent negative x, y values in opj_tcd_init_tilechromium/2825
BUG=632622 Review-Url: https://codereview.chromium.org/2223303002
Diffstat (limited to 'third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch')
-rw-r--r--third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch21
1 files changed, 21 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch
new file mode 100644
index 0000000000..33694f81fc
--- /dev/null
+++ b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch
@@ -0,0 +1,21 @@
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index 9270efe..06eee4e 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -706,9 +706,16 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */
+ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);
+ l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1);
++ if (l_tile->x0 < 0 || l_tile->x1 < 0) {
++ return OPJ_FALSE;
++ }
++
+ l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */
+ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);
+ l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1);
++ if (l_tile->y0 < 0 || l_tile->y1 < 0) {
++ return OPJ_FALSE;
++ }
+
+ /* testcase 1888.pdf.asan.35.988 */
+ if (l_tccp->numresolutions == 0) {