summaryrefslogtreecommitdiff
path: root/third_party
diff options
context:
space:
mode:
Diffstat (limited to 'third_party')
-rw-r--r--third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch34
-rw-r--r--third_party/libopenjpeg20/README.pdfium1
-rw-r--r--third_party/libopenjpeg20/j2k.c7
3 files changed, 40 insertions, 2 deletions
diff --git a/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch
new file mode 100644
index 0000000000..3a40b75189
--- /dev/null
+++ b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch
@@ -0,0 +1,34 @@
+diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
+index 6346c2190..d4dd65827 100644
+--- a/third_party/libopenjpeg20/j2k.c
++++ b/third_party/libopenjpeg20/j2k.c
+@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k,
+ ++l_mct_data;
+ }
+
++ opj_mct_data_t *new_mct_records = NULL;
++
+ /* NOT FOUND */
+ if (i == l_tcp->m_nb_mct_records) {
+ if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) {
+- opj_mct_data_t *new_mct_records;
+ l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;
+
+ new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));
+@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k,
+ }
+
+ l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
+- ++l_tcp->m_nb_mct_records;
+ }
+
+ if (l_mct_data->m_data) {
+@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k,
+
+ l_mct_data->m_data_size = p_header_size;
+
++ if (new_mct_records) {
++ ++l_tcp->m_nb_mct_records;
++ }
+ return OPJ_TRUE;
+ }
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 2c8d93c1d0..283daf609f 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -32,4 +32,5 @@ Local Modifications:
0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc().
0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile.
0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr.
+0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free.
TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 6346c21907..d4dd65827c 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k,
++l_mct_data;
}
+ opj_mct_data_t *new_mct_records = NULL;
+
/* NOT FOUND */
if (i == l_tcp->m_nb_mct_records) {
if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) {
- opj_mct_data_t *new_mct_records;
l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;
new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));
@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k,
}
l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
- ++l_tcp->m_nb_mct_records;
}
if (l_mct_data->m_data) {
@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k,
l_mct_data->m_data_size = p_header_size;
+ if (new_mct_records) {
+ ++l_tcp->m_nb_mct_records;
+ }
return OPJ_TRUE;
}