summaryrefslogtreecommitdiff
path: root/third_party/libopenjpeg20/dwt.c
diff options
context:
space:
mode:
authorgogil <gogil@stealien.com>2016-08-04 22:43:10 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-04 22:43:10 -0700
commitb20ab6c7acb3be1393461eb650ca8fa4660c937e (patch)
treeb448cc3667a235444ac078e4c0bd4106b2c83fef /third_party/libopenjpeg20/dwt.c
parent26b86e625a2c9e0f4e6a01047fef051ffa81e40a (diff)
downloadpdfium-b20ab6c7acb3be1393461eb650ca8fa4660c937e.tar.xz
openjpeg: Prevent overflows when using opj_aligned_malloc()
BUG=628304 R=thestig@chromium.org, ochang@chromium.org Review-Url: https://codereview.chromium.org/2218783002
Diffstat (limited to 'third_party/libopenjpeg20/dwt.c')
-rw-r--r--third_party/libopenjpeg20/dwt.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/third_party/libopenjpeg20/dwt.c b/third_party/libopenjpeg20/dwt.c
index 3b92bdf623..1bcb108163 100644
--- a/third_party/libopenjpeg20/dwt.c
+++ b/third_party/libopenjpeg20/dwt.c
@@ -576,6 +576,9 @@ static OPJ_BOOL opj_dwt_decode_tile(const opj_tcd_tilecomp_t* tilec, OPJ_UINT32
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
h.mem_count = opj_dwt_max_resolution(tr, numres);
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < (OPJ_UINT32)h.mem_count) {
+ return OPJ_FALSE;
+ }
h.mem = (OPJ_INT32*)opj_aligned_malloc(h.mem_count * sizeof(OPJ_INT32));
if (! h.mem){
/* FIXME event manager error callback */
@@ -850,7 +853,17 @@ OPJ_BOOL opj_dwt_decode_real(opj_tcd_tilecomp_t* restrict tilec, OPJ_UINT32 numr
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
- h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
+ OPJ_UINT32 mr = opj_dwt_max_resolution(res, numres);
+
+ if (mr >= ((OPJ_UINT32)-5)) {
+ return OPJ_FALSE;
+ }
+ mr += 5;
+
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_v4_t) < mr) {
+ return OPJ_FALSE;
+ }
+ h.wavelet = (opj_v4_t*) opj_aligned_malloc(mr * sizeof(opj_v4_t));
if (!h.wavelet) {
/* FIXME event manager error callback */
return OPJ_FALSE;