diff options
author | gogil <gogil@stealien.com> | 2016-08-04 22:43:10 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-04 22:43:10 -0700 |
commit | b20ab6c7acb3be1393461eb650ca8fa4660c937e (patch) | |
tree | b448cc3667a235444ac078e4c0bd4106b2c83fef /third_party/libopenjpeg20/t1.c | |
parent | 26b86e625a2c9e0f4e6a01047fef051ffa81e40a (diff) | |
download | pdfium-b20ab6c7acb3be1393461eb650ca8fa4660c937e.tar.xz |
openjpeg: Prevent overflows when using opj_aligned_malloc()
BUG=628304
R=thestig@chromium.org, ochang@chromium.org
Review-Url: https://codereview.chromium.org/2218783002
Diffstat (limited to 'third_party/libopenjpeg20/t1.c')
-rw-r--r-- | third_party/libopenjpeg20/t1.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c index 108ce78b60..a119db1f76 100644 --- a/third_party/libopenjpeg20/t1.c +++ b/third_party/libopenjpeg20/t1.c @@ -1173,6 +1173,9 @@ static OPJ_BOOL opj_t1_allocate_buffers( if (!t1->encoder) { if(datasize > t1->datasize){ opj_aligned_free(t1->data); + if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < datasize) { + return OPJ_FALSE; + } t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * sizeof(OPJ_INT32)); if(!t1->data){ /* FIXME event manager error callback */ @@ -1187,6 +1190,9 @@ static OPJ_BOOL opj_t1_allocate_buffers( if(flagssize > t1->flagssize){ opj_aligned_free(t1->flags); + if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_flag_t) < flagssize) { + return OPJ_FALSE; + } t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t)); if(!t1->flags){ /* FIXME event manager error callback */ |