diff options
author | JUN FANG <jun_fang@foxitsoftware.com> | 2015-07-13 06:34:20 -0700 |
---|---|---|
committer | JUN FANG <jun_fang@foxitsoftware.com> | 2015-07-13 06:34:20 -0700 |
commit | d1b0a8d9dc71c67b4ce67f148cebc01d66d1d983 (patch) | |
tree | 0799c15afca1d53f4e26c720f288c0b3a4750faf /third_party/libopenjpeg20/pi.c | |
parent | 1f4c2f24709e0246575551cecdaa0ba83de73101 (diff) | |
download | pdfium-d1b0a8d9dc71c67b4ce67f148cebc01d66d1d983.tar.xz |
Fix an integer overflow issue in openJpegchromium/2457chromium/2456
Fixing this issue for an urgent request. It should be fixed in OpenJPEG side.
BUG=506763
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1231933008 .
Diffstat (limited to 'third_party/libopenjpeg20/pi.c')
-rw-r--r-- | third_party/libopenjpeg20/pi.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c index 393a1e5540..d2ba3a14c6 100644 --- a/third_party/libopenjpeg20/pi.c +++ b/third_party/libopenjpeg20/pi.c @@ -36,6 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#include <limits.h> #include "opj_includes.h" /** @defgroup PI PI - Implementation of a packet iterator */ @@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, l_current_pi = l_pi; /* memory allocation for include */ - l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); + l_current_pi->include = 00; + if + (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1) + { + l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16)); + } + if (!l_current_pi->include) { |