diff options
-rw-r--r-- | third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch | 14 | ||||
-rw-r--r-- | third_party/libopenjpeg20/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libopenjpeg20/t1.c | 3 |
3 files changed, 18 insertions, 0 deletions
diff --git a/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch b/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch new file mode 100644 index 0000000000..58f04b0a24 --- /dev/null +++ b/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch @@ -0,0 +1,14 @@ +diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c +index 1ad850c77..d290c38d5 100644 +--- a/third_party/libopenjpeg20/t1.c ++++ b/third_party/libopenjpeg20/t1.c +@@ -1387,6 +1387,9 @@ static OPJ_BOOL opj_t1_decode_cblk(opj_t1_t *t1, + } + + bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps); ++ if (bpno_plus_one > 30) { ++ return OPJ_FALSE; ++ } + passtype = 2; + + opj_mqc_resetstates(mqc); diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index cae9a9a98e..a90f28b0f1 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -42,4 +42,5 @@ Local Modifications: 0030-undefined-shift-opj_get_all_encoding_parameters.patch: fix undefined shift in pi.c method. 0031-undefined-shift-opj_bio_read.patch: fix undefined shift in bio.c method. 0032-undefined-shift-opj_j2k_read_siz.patch: fix undefined shift in j2k.c method. +0033-undefined-shift-opj_t1_dec_clnpass.patch: fix undefined shifts originated from opj_t1_decode_cblk. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c index 1ad850c77e..d290c38d52 100644 --- a/third_party/libopenjpeg20/t1.c +++ b/third_party/libopenjpeg20/t1.c @@ -1387,6 +1387,9 @@ static OPJ_BOOL opj_t1_decode_cblk(opj_t1_t *t1, } bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps); + if (bpno_plus_one > 30) { + return OPJ_FALSE; + } passtype = 2; opj_mqc_resetstates(mqc); |