LibOpenJPEG: undefined shift in opj_t1_dec_clnpass

bpno_plus_one is used as a parameter bpno for a bunch of methods that calculate
1 << bpno. Thus, use a reduced value when it's large enough to cause undefined
shift. bpno_plus_one itself remains unchanged so that the number of calls
remains the same

Bug: chromium:698526
Change-Id: I40431d41a04f3e2315bd3c80114cd0fcbd2815b4
Reviewed-on: https://pdfium-review.googlesource.com/5310
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch b/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch
new file mode 100644
index 0000000000..58f04b0a24
--- /dev/null
+++ b/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch
@@ -0,0 +1,14 @@
+diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
+index 1ad850c77..d290c38d5 100644
+--- a/third_party/libopenjpeg20/t1.c
++++ b/third_party/libopenjpeg20/t1.c
+@@ -1387,6 +1387,9 @@ static OPJ_BOOL opj_t1_decode_cblk(opj_t1_t *t1,
+        }
+ 
+        bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps);
++    if (bpno_plus_one > 30) {
++        return OPJ_FALSE;
++    }
+        passtype = 2;
+ 
+        opj_mqc_resetstates(mqc);