From 341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Thu, 19 Jan 2017 12:42:20 -0500 Subject: Return error in opj_j2k_read_header_procedure if l_marker_size < 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we do not do this check, it will overflow to a huge unsigned int, so we will allocate a lot of memory etc. BUG=682182 Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff Reviewed-on: https://pdfium-review.googlesource.com/2272 Reviewed-by: dsinclair Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- third_party/libopenjpeg20/0024-l_marker_size_check.patch | 15 +++++++++++++++ third_party/libopenjpeg20/README.pdfium | 1 + third_party/libopenjpeg20/j2k.c | 4 ++++ 3 files changed, 20 insertions(+) create mode 100644 third_party/libopenjpeg20/0024-l_marker_size_check.patch diff --git a/third_party/libopenjpeg20/0024-l_marker_size_check.patch b/third_party/libopenjpeg20/0024-l_marker_size_check.patch new file mode 100644 index 0000000000..cb020c9d0e --- /dev/null +++ b/third_party/libopenjpeg20/0024-l_marker_size_check.patch @@ -0,0 +1,15 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index 45187e8e6..5de89cf0e 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k, + + /* read 2 bytes as the marker size */ + opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2); ++ if (l_marker_size < 2) { ++ opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n"); ++ return OPJ_FALSE; ++ } + l_marker_size -= 2; /* Subtract the size of the marker ID already read */ + + /* Check if the marker size is compatible with the header data size */ diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 283daf609f..0f453373f9 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -33,4 +33,5 @@ Local Modifications: 0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile. 0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr. 0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free. +0024-l_marker_size_check.patch: Return error before overflow in opj_j2k_read_header_procedure. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c index 45187e8e67..5de89cf0e7 100644 --- a/third_party/libopenjpeg20/j2k.c +++ b/third_party/libopenjpeg20/j2k.c @@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k, /* read 2 bytes as the marker size */ opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2); + if (l_marker_size < 2) { + opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n"); + return OPJ_FALSE; + } l_marker_size -= 2; /* Subtract the size of the marker ID already read */ /* Check if the marker size is compatible with the header data size */ -- cgit v1.2.3