diff options
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch | 34 | ||||
-rw-r--r-- | third_party/libopenjpeg20/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libopenjpeg20/j2k.c | 7 |
3 files changed, 40 insertions, 2 deletions
diff --git a/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch new file mode 100644 index 0000000000..3a40b75189 --- /dev/null +++ b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch @@ -0,0 +1,34 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index 6346c2190..d4dd65827 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k, + ++l_mct_data; + } + ++ opj_mct_data_t *new_mct_records = NULL; ++ + /* NOT FOUND */ + if (i == l_tcp->m_nb_mct_records) { + if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) { +- opj_mct_data_t *new_mct_records; + l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS; + + new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t)); +@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k, + } + + l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records; +- ++l_tcp->m_nb_mct_records; + } + + if (l_mct_data->m_data) { +@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k, + + l_mct_data->m_data_size = p_header_size; + ++ if (new_mct_records) { ++ ++l_tcp->m_nb_mct_records; ++ } + return OPJ_TRUE; + } diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 2c8d93c1d0..283daf609f 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -32,4 +32,5 @@ Local Modifications: 0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc(). 0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile. 0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr. +0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c index 6346c21907..d4dd65827c 100644 --- a/third_party/libopenjpeg20/j2k.c +++ b/third_party/libopenjpeg20/j2k.c @@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k, ++l_mct_data; } + opj_mct_data_t *new_mct_records = NULL; + /* NOT FOUND */ if (i == l_tcp->m_nb_mct_records) { if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) { - opj_mct_data_t *new_mct_records; l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS; new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t)); @@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k, } l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records; - ++l_tcp->m_nb_mct_records; } if (l_mct_data->m_data) { @@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct ( opj_j2k_t *p_j2k, l_mct_data->m_data_size = p_header_size; + if (new_mct_records) { + ++l_tcp->m_nb_mct_records; + } return OPJ_TRUE; } |