summaryrefslogtreecommitdiff
path: root/third_party/libopenjpeg20
AgeCommit message (Collapse)Author
2017-05-09LibOpenJPEG: restrict l_img_comp->prec to avoid undefined shiftNicolas Pena
The 38 value seems arbitrary, and the prec is used in OPJ_INT32 with 1 << (prec - 1). So limit it to be at most 31, and avoid undefined shifts. Bug: chromium:698498 Change-Id: I840f2e65231ac7847ed26bcaea36471a53be49e8 Reviewed-on: https://pdfium-review.googlesource.com/5173 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-05-05Fix undefined shift in opj_bio_readNicolas Pena
Bug: chromium:666683 Change-Id: I1c633d82e9ef75dd99ef032b4fc46fe8d3651cd1 Reviewed-on: https://pdfium-review.googlesource.com/5050 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-05-04Fix undefined shift in opj_get_all_encoding_parametersNicolas Pena
The value 1u << (l_pdx + l_level_no) is only used to calculate a minimum, so skip it when the shift doesn't even fit unsigned integer. Also use the uint min version since all values being considered are unsigned anyways. Bug: chromium:666892 Change-Id: I79c6e52022aa894033c5cdabec29c4b8313e293b Reviewed-on: https://pdfium-review.googlesource.com/4891 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-03-13LibopenJPEG: Fix some divisions by 0 in pi.cNicolas Pena
The undefined shifts in libopenjpeg are sometimes used as divisors. This CL checks that we are not trying to divide by 0 or mod by 0 in some places in pi.c. BUG=chromium:699491 Change-Id: Iaf629112437068d6479dbbb52b339bec6edefed0 Reviewed-on: https://pdfium-review.googlesource.com/2962 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-03-01LibOpenJPEG upstream: check size in opj_j2k_read_sizNicolas Pena
This happens to fix the bug in question but I suspect they still do not have enough checks to prevent undefined shifts. Patch: https://github.com/uclouvain/openjpeg/pull/762/commits/5afb4d0546dd1b0a162b4e895cfdcfa4b32f1180 BUG=694042 Change-Id: I9466eb2b095f07233517ff5f1bcb0c2437be78ac Reviewed-on: https://pdfium-review.googlesource.com/2888 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-02-17Libopenjpeg upstream fix for undefined shiftchromium/3019chromium/3018chromium/3017chromium/3016Nicolas Pena
Patch: https://github.com/uclouvain/openjpeg/commit/20789fed4ec7746e938dd2934a1fb5aa352f4d12 BUG=657440 Change-Id: Ic2320cd4baabbd7bc09ec428c5f49b7ab3e7eb66 Reviewed-on: https://pdfium-review.googlesource.com/2795 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-25Use opj_uint_ceildiv where it is better than its int versionNicolas Pena
Replaced (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b) with opj_uint_ceildiv(a, b), which makes much more sense. BUG=683156 Change-Id: Ie9d6736f4ec0f16d14f203850a14f0dabd73ee38 Reviewed-on: https://pdfium-review.googlesource.com/2352 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-24Check m_data!=null when adding mctNicolas Pena
m_decorrelation_array and m_offset_array can be assigned to l_mct_data, which can be set in opj_j2k_read_mct. In this method, there can be an early true return before allocating m_data but after freeing it. BUG=678342 Change-Id: Id9ea3cc57a9a278deb1540e5db8a94db86018fd6 Reviewed-on: https://pdfium-review.googlesource.com/2350 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-01-19Return error in opj_j2k_read_header_procedure if l_marker_size < 2Nicolas Pena
If we do not do this check, it will overflow to a huge unsigned int, so we will allocate a lot of memory etc. BUG=682182 Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff Reviewed-on: https://pdfium-review.googlesource.com/2272 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-11Really fix m_nb_mct_records calculation in opj_j2k_read_mctNicolas Pena
My previous attempt did not follow precisely the way m_nb_mcc_records is increased in opj_j2k_read_mcc. Previous: https://pdfium-review.googlesource.com/c/2165/ BUG=678461, 680102 Change-Id: I3e14c440e3a49b714f8cd82d44992fe647200336 Reviewed-on: https://pdfium-review.googlesource.com/2171 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-01-10Fix m_nb_mct_records calculation in opj_j2k_read_mctNicolas Pena
Now we update m_nb_mct_records only when there was a new mct record, and l_mct_data computations all went through. In previous version, the ++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that this is similar to the analoguous in opj_j2k_read_mcc. CL that changed the calculation: https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60 BUG=678461 Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662 Reviewed-on: https://pdfium-review.googlesource.com/2165 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2016-08-29openjpeg: Prevent an integer overflow in opj_jp2_apply_pclr.stackexploit
This patch also prevent a null pointer access problem. BUG=chromium:638829 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/2270343002
2016-08-08openjpeg: Prevent negative x, y values in opj_tcd_init_tilechromium/2825ochang
BUG=632622 Review-Url: https://codereview.chromium.org/2223303002
2016-08-04openjpeg: Prevent overflows when using opj_aligned_malloc()gogil
BUG=628304 R=thestig@chromium.org, ochang@chromium.org Review-Url: https://codereview.chromium.org/2218783002
2016-08-04openjpeg: Prevent integer overflows during calculation of ↵gogil
|l_nb_code_blocks_size| BUG=628890 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/2212973002
2016-07-25Fix an integer overflow in opj_tcd_get_decoded_tile_size().chromium/2810chromium/2809ochang
Based on suggested patch by reporter. BUG=629919 Review-Url: https://codereview.chromium.org/2182683002
2016-07-06openjpeg: Prevent integer overflows during calculation of |l_nb_precinct_size|ochang
BUG=625541 Review-Url: https://codereview.chromium.org/2124073003
2016-06-20openjpeg: Prevent a buffer overflow in opj_j2k_read_SQcd_SQcc.stackexploit
BUG=chromium:619405 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/2071773002
2016-05-20openjpeg: Prevent a buffer overflow in opj_j2k_read_SPCod_SPCoc.chromium/2747chromium/2746chromium/2745chromium/2744ochang
BUG=chromium:613160 Review-Url: https://codereview.chromium.org/2001663002
2016-05-19Fix a memory leak in opj_jp2_read_ihdr().thestig
BUG=603895 Review-Url: https://codereview.chromium.org/1992893003
2016-03-18openjpeg: Remove unneeded non-standard code.Nico Weber
When building with clang-cl and not passing /FIintrin.h, the __attribute__ defined to nothing, which confuses the compiler (see bug). Since nothing seems to require the __attribute__ redefinition, just remove it. Reported upstream here: https://github.com/uclouvain/openjpeg/issues/727 BUG=592745 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1810373002 .
2016-03-10openjpeg: Don't build with SSE instrinsics for 32-bit x86.Oliver Chang
Fixes 32-bit clang-cl build. These intrinsics require addresses with 16-byte alignment, which doesn't cause issues for 64-bit builds because of allocator alignment. MSVC doesn't recognise the __SSE__, __SSE2__ defines, which is why this problem never surfaced before. R=tsepez@chromium.org BUG=pdfium:433 Review URL: https://codereview.chromium.org/1783813003 .
2016-02-23openjpeg: Prevent bad cast in opj_j2k_update_image_dataOliver Chang
R=tsepez@chromium.org BUG=587227 Review URL: https://codereview.chromium.org/1726843002 .
2016-01-15Merge to XFA: openjpeg: Set proper upper bound for an array in ↵Oliver Chang
opj_pi_update_decode_poc(). R=tsepez@chromium.org TBR=tsepez@chromium.org BUG=571480 Original Review URL: https://codereview.chromium.org/1583233008 . (cherry picked from commit 7a0f441e1410b3a0d97374c00c4007552d7dd27a) Review URL: https://codereview.chromium.org/1594603004 .
2016-01-14Merge to XFA: openjpeg: Fix potential bad precno value in opj_pi_next* ↵chromium/2622Oliver Chang
functions. TBR=thestig@chromium.org BUG=571479 Original Review URL: https://codereview.chromium.org/1585243003 . (cherry picked from commit 0b56371b1e9683676cf191f2d9d41d40d47c3726) Review URL: https://codereview.chromium.org/1590593002 .
2015-12-24Merge to XFA: Replace an assertion with returning falseJun Fang
BUG=pdfium:277 R=thestig@chromium.org Review URL: https://codereview.chromium.org/1548583002 . Review URL: https://codereview.chromium.org/1549873002 .
2015-12-21Merge to XFA: Fix wrong rendering on greyscale images with index colorspaceJun Fang
BUG=514514 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1536223002 . Merge branch 'xfa' of https://pdfium.googlesource.com/pdfium into xfa Merge to XFA: Correct return values in CPDF_HintTables::CheckPage() BUG=pdfium:329 R=thestig@chromium.org Review URL: https://codereview.chromium.org/1529173005 . Review URL: https://codereview.chromium.org/1539163002 .
2015-12-15Merge to XFA: Fix a dividing zero bug in opj_tcd_init_tile()Jun Fang
BUG=541446 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1520203002 . Review URL: https://codereview.chromium.org/1520323004 .
2015-12-14Merge to XFA: openjpeg: Fix crash in opj_jp2_apply_pclrOliver Chang
TBR=tsepez@chromium.org BUG=554172 Original Review URL: https://codereview.chromium.org/1492693003 . (cherry picked from commit 3026f26aa69e983837d05a5477fe22e79aed0d26) Review URL: https://codereview.chromium.org/1520323003 .
2015-12-11Merge to XFA: openjpeg: fix incrementing of "l_tcp->m_nb_mcc_records" in ↵Oliver Chang
opj_j2k_read_mcc TBR=tsepez@chromium.org BUG=554129 Original Review URL: https://codereview.chromium.org/1488303004 . (cherry picked from commit e2eb04f0352d621bc8837217078c23d67044bf38) Review URL: https://codereview.chromium.org/1524553002 .
2015-10-13upgrade openjpeg to commit# cf352afJun Fang
BUG=457480,497355 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1338973005 .
2015-09-03Merge to XFA: Reapply Foxit's libopenjpeg modifications.Lei Zhang
They were lost in commit d53e6fd. BUG=pdfium:168 TBR=tsepez@chromium.org Review URL: https://codereview.chromium.org/1196523002 . (cherry picked from commit 870b5b6793fa261f0c6f31f026010d2d715968bf) Review URL: https://codereview.chromium.org/1301323007 .
2015-08-28Merge to XFA: Check array bounds for opj_dwt_decode_1() and friends.Lei Zhang
Based on an earlier patch by jun_fang@foxitsoftware.com. BUG=450844 R=jun_fang@foxitsoftware.com Review URL: https://codereview.chromium.org/1320443003 . (cherry picked from commit 463b77b4f1e4257cd89f3460b5a6fdb102f44265) Review URL: https://codereview.chromium.org/1319303003 .
2015-07-13Merge to XFA: Fix an integer overflow issue in openJpegJUN FANG
Fixing this issue for an urgent request. It should be fixed in OpenJPEG side. BUG=506763 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1231933008 .
2015-06-18Merge to XFA: Move libopenjpeg to third_party/Tom Sepez
Original Review URL: https://codereview.chromium.org/1185373010. TBR=thestig@chromium.org Review URL: https://codereview.chromium.org/1193773002.