diff options
author | Nicolas Pena <npm@chromium.org> | 2017-01-19 12:42:20 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-19 18:32:40 +0000 |
commit | 341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec (patch) | |
tree | 2d90abe61ac7c2ae5cada27563b7eb325fe6858e /third_party/libopenjpeg20 | |
parent | 95bec8046a28928df627ce4d48eee8b209b3e36e (diff) | |
download | pdfium-341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec.tar.xz |
Return error in opj_j2k_read_header_procedure if l_marker_size < 2
If we do not do this check, it will overflow to a huge unsigned int, so
we will allocate a lot of memory etc.
BUG=682182
Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff
Reviewed-on: https://pdfium-review.googlesource.com/2272
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/libopenjpeg20')
-rw-r--r-- | third_party/libopenjpeg20/0024-l_marker_size_check.patch | 15 | ||||
-rw-r--r-- | third_party/libopenjpeg20/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libopenjpeg20/j2k.c | 4 |
3 files changed, 20 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0024-l_marker_size_check.patch b/third_party/libopenjpeg20/0024-l_marker_size_check.patch new file mode 100644 index 0000000000..cb020c9d0e --- /dev/null +++ b/third_party/libopenjpeg20/0024-l_marker_size_check.patch @@ -0,0 +1,15 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index 45187e8e6..5de89cf0e 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k, + + /* read 2 bytes as the marker size */ + opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2); ++ if (l_marker_size < 2) { ++ opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n"); ++ return OPJ_FALSE; ++ } + l_marker_size -= 2; /* Subtract the size of the marker ID already read */ + + /* Check if the marker size is compatible with the header data size */ diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 283daf609f..0f453373f9 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -33,4 +33,5 @@ Local Modifications: 0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile. 0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr. 0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free. +0024-l_marker_size_check.patch: Return error before overflow in opj_j2k_read_header_procedure. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c index 45187e8e67..5de89cf0e7 100644 --- a/third_party/libopenjpeg20/j2k.c +++ b/third_party/libopenjpeg20/j2k.c @@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k, /* read 2 bytes as the marker size */ opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2); + if (l_marker_size < 2) { + opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n"); + return OPJ_FALSE; + } l_marker_size -= 2; /* Subtract the size of the marker ID already read */ /* Check if the marker size is compatible with the header data size */ |