diff options
| -rw-r--r-- | third_party/libopenjpeg20/0027-undefined-shift-opj_t1_decode_cblk.patch | 13 | ||||
| -rw-r--r-- | third_party/libopenjpeg20/README.pdfium | 1 | ||||
| -rw-r--r-- | third_party/libopenjpeg20/t1.c | 2 |
3 files changed, 15 insertions, 1 deletions
diff --git a/third_party/libopenjpeg20/0027-undefined-shift-opj_t1_decode_cblk.patch b/third_party/libopenjpeg20/0027-undefined-shift-opj_t1_decode_cblk.patch new file mode 100644 index 0000000000..7ba877ab98 --- /dev/null +++ b/third_party/libopenjpeg20/0027-undefined-shift-opj_t1_decode_cblk.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c +index a119db1f7..1ad850c77 100644 +--- a/third_party/libopenjpeg20/t1.c ++++ b/third_party/libopenjpeg20/t1.c +@@ -1411,7 +1411,7 @@ static OPJ_BOOL opj_t1_decode_cblk(opj_t1_t *t1, + } + } + +- for (passno = 0; passno < seg->real_num_passes; ++passno) { ++ for (passno = 0; (passno < seg->real_num_passes) && (bpno_plus_one >= 1); ++passno) { + switch (passtype) { + case 0: + if (type == T1_TYPE_RAW) { diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 8ed63771f7..ea8f5239ba 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -36,4 +36,5 @@ Local Modifications: 0024-l_marker_size_check.patch: Return error before overflow in opj_j2k_read_header_procedure. 0025-opj_j2k_add_mct_null_data.patch: Check m_data != null before trying to read from it. 0026-use_opj_uint_ceildiv.patch: Remove (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b). +0027-undefined-shift-opj_t1_decode_cblk.patch: upstream fix for a ubsan bug. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c index a119db1f76..1ad850c77e 100644 --- a/third_party/libopenjpeg20/t1.c +++ b/third_party/libopenjpeg20/t1.c @@ -1411,7 +1411,7 @@ static OPJ_BOOL opj_t1_decode_cblk(opj_t1_t *t1, } } - for (passno = 0; passno < seg->real_num_passes; ++passno) { + for (passno = 0; (passno < seg->real_num_passes) && (bpno_plus_one >= 1); ++passno) { switch (passtype) { case 0: if (type == T1_TYPE_RAW) { |