diff options
| author | JUN FANG <jun_fang@foxitsoftware.com> | 2015-07-13 06:34:20 -0700 |
|---|---|---|
| committer | JUN FANG <jun_fang@foxitsoftware.com> | 2015-07-13 06:38:16 -0700 |
| commit | 83ad95c4e0b220a37af078e7e4e45b199052bf2e (patch) | |
| tree | faf92b975c09a1ec4fd0d4dc4c5b73560b44da74 /third_party | |
| parent | 01f9dfbc16da03aa4d29338aabd0ca4403234776 (diff) | |
| download | pdfium-83ad95c4e0b220a37af078e7e4e45b199052bf2e.tar.xz | |
Merge to XFA: Fix an integer overflow issue in openJpeg
Fixing this issue for an urgent request. It should be fixed in OpenJPEG side.
BUG=506763
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1231933008 .
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/libopenjpeg20/pi.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c index 393a1e5540..d2ba3a14c6 100644 --- a/third_party/libopenjpeg20/pi.c +++ b/third_party/libopenjpeg20/pi.c @@ -36,6 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#include <limits.h> #include "opj_includes.h" /** @defgroup PI PI - Implementation of a packet iterator */ @@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, l_current_pi = l_pi; /* memory allocation for include */ - l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); + l_current_pi->include = 00; + if + (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1) + { + l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16)); + } + if (!l_current_pi->include) { |