summaryrefslogtreecommitdiff
path: root/third_party/libopenjpeg20/t1.c
diff options
context:
space:
mode:
authorgogil <gogil@stealien.com>2016-08-04 22:43:10 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-04 22:43:10 -0700
commitb20ab6c7acb3be1393461eb650ca8fa4660c937e (patch)
treeb448cc3667a235444ac078e4c0bd4106b2c83fef /third_party/libopenjpeg20/t1.c
parent26b86e625a2c9e0f4e6a01047fef051ffa81e40a (diff)
downloadpdfium-b20ab6c7acb3be1393461eb650ca8fa4660c937e.tar.xz
openjpeg: Prevent overflows when using opj_aligned_malloc()
BUG=628304 R=thestig@chromium.org, ochang@chromium.org Review-Url: https://codereview.chromium.org/2218783002
Diffstat (limited to 'third_party/libopenjpeg20/t1.c')
-rw-r--r--third_party/libopenjpeg20/t1.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
index 108ce78b60..a119db1f76 100644
--- a/third_party/libopenjpeg20/t1.c
+++ b/third_party/libopenjpeg20/t1.c
@@ -1173,6 +1173,9 @@ static OPJ_BOOL opj_t1_allocate_buffers(
if (!t1->encoder) {
if(datasize > t1->datasize){
opj_aligned_free(t1->data);
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < datasize) {
+ return OPJ_FALSE;
+ }
t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * sizeof(OPJ_INT32));
if(!t1->data){
/* FIXME event manager error callback */
@@ -1187,6 +1190,9 @@ static OPJ_BOOL opj_t1_allocate_buffers(
if(flagssize > t1->flagssize){
opj_aligned_free(t1->flags);
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_flag_t) < flagssize) {
+ return OPJ_FALSE;
+ }
t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
if(!t1->flags){
/* FIXME event manager error callback */