summaryrefslogtreecommitdiff
path: root/third_party/libopenjpeg20
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-01-19 12:42:20 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-01-19 18:32:40 +0000
commit341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec (patch)
tree2d90abe61ac7c2ae5cada27563b7eb325fe6858e /third_party/libopenjpeg20
parent95bec8046a28928df627ce4d48eee8b209b3e36e (diff)
downloadpdfium-341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec.tar.xz
Return error in opj_j2k_read_header_procedure if l_marker_size < 2
If we do not do this check, it will overflow to a huge unsigned int, so we will allocate a lot of memory etc. BUG=682182 Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff Reviewed-on: https://pdfium-review.googlesource.com/2272 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'third_party/libopenjpeg20')
-rw-r--r--third_party/libopenjpeg20/0024-l_marker_size_check.patch15
-rw-r--r--third_party/libopenjpeg20/README.pdfium1
-rw-r--r--third_party/libopenjpeg20/j2k.c4
3 files changed, 20 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0024-l_marker_size_check.patch b/third_party/libopenjpeg20/0024-l_marker_size_check.patch
new file mode 100644
index 0000000000..cb020c9d0e
--- /dev/null
+++ b/third_party/libopenjpeg20/0024-l_marker_size_check.patch
@@ -0,0 +1,15 @@
+diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
+index 45187e8e6..5de89cf0e 100644
+--- a/third_party/libopenjpeg20/j2k.c
++++ b/third_party/libopenjpeg20/j2k.c
+@@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k,
+
+ /* read 2 bytes as the marker size */
+ opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2);
++ if (l_marker_size < 2) {
++ opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n");
++ return OPJ_FALSE;
++ }
+ l_marker_size -= 2; /* Subtract the size of the marker ID already read */
+
+ /* Check if the marker size is compatible with the header data size */
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 283daf609f..0f453373f9 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -33,4 +33,5 @@ Local Modifications:
0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile.
0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr.
0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free.
+0024-l_marker_size_check.patch: Return error before overflow in opj_j2k_read_header_procedure.
TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 45187e8e67..5de89cf0e7 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k,
/* read 2 bytes as the marker size */
opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2);
+ if (l_marker_size < 2) {
+ opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n");
+ return OPJ_FALSE;
+ }
l_marker_size -= 2; /* Subtract the size of the marker ID already read */
/* Check if the marker size is compatible with the header data size */