diff options
author | ochang <ochang@chromium.org> | 2016-08-08 16:52:28 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-08 16:52:28 -0700 |
commit | b6befb2ed2485a3805cddea86dc7574510178ea9 (patch) | |
tree | bf4123a6e9841da3ff11d1fabcf1e6fd170a7c70 /third_party | |
parent | 1c836753bb86b3eb0e130f1d92868a273bb26ab8 (diff) | |
download | pdfium-b6befb2ed2485a3805cddea86dc7574510178ea9.tar.xz |
openjpeg: Prevent negative x, y values in opj_tcd_init_tilechromium/2825
BUG=632622
Review-Url: https://codereview.chromium.org/2223303002
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch | 21 | ||||
-rw-r--r-- | third_party/libopenjpeg20/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libopenjpeg20/tcd.c | 7 |
3 files changed, 29 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch new file mode 100644 index 0000000000..33694f81fc --- /dev/null +++ b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch @@ -0,0 +1,21 @@ +diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c +index 9270efe..06eee4e 100644 +--- a/third_party/libopenjpeg20/tcd.c ++++ b/third_party/libopenjpeg20/tcd.c +@@ -706,9 +706,16 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ + l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); + l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); ++ if (l_tile->x0 < 0 || l_tile->x1 < 0) { ++ return OPJ_FALSE; ++ } ++ + l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ + l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); + l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); ++ if (l_tile->y0 < 0 || l_tile->y1 < 0) { ++ return OPJ_FALSE; ++ } + + /* testcase 1888.pdf.asan.35.988 */ + if (l_tccp->numresolutions == 0) { diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index a40ed7ba3f..7779044799 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -30,4 +30,5 @@ Local Modifications: 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size. 0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|. 0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc(). +0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c index 9270efe399..06eee4ebd5 100644 --- a/third_party/libopenjpeg20/tcd.c +++ b/third_party/libopenjpeg20/tcd.c @@ -706,9 +706,16 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); + if (l_tile->x0 < 0 || l_tile->x1 < 0) { + return OPJ_FALSE; + } + l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); + if (l_tile->y0 < 0 || l_tile->y1 < 0) { + return OPJ_FALSE; + } /* testcase 1888.pdf.asan.35.988 */ if (l_tccp->numresolutions == 0) { |