From 44bc1f818dd791c2a5a81103be3853093fd934b3 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Tue, 10 Jan 2017 16:40:29 -0500
Subject: Fix m_nb_mct_records calculation in opj_j2k_read_mct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Now we update m_nb_mct_records only when there was a new mct record, and
l_mct_data computations all went through. In previous version, the
++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that
this is similar to the analoguous in opj_j2k_read_mcc.

CL that changed the calculation:
https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60

BUG=678461

Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662
Reviewed-on: https://pdfium-review.googlesource.com/2165
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 .../0023-opj_j2k_read_mct_records.patch            | 34 ++++++++++++++++++++++
 third_party/libopenjpeg20/README.pdfium            |  1 +
 third_party/libopenjpeg20/j2k.c                    |  7 +++--
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch

diff --git a/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch
new file mode 100644
index 0000000000..3a40b75189
--- /dev/null
+++ b/third_party/libopenjpeg20/0023-opj_j2k_read_mct_records.patch
@@ -0,0 +1,34 @@
+diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
+index 6346c2190..d4dd65827 100644
+--- a/third_party/libopenjpeg20/j2k.c
++++ b/third_party/libopenjpeg20/j2k.c
+@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
+                 ++l_mct_data;
+         }
+ 
++        opj_mct_data_t *new_mct_records = NULL;
++
+         /* NOT FOUND */
+         if (i == l_tcp->m_nb_mct_records) {
+                 if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) {
+-                        opj_mct_data_t *new_mct_records;
+                         l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;
+ 
+                         new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));
+@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
+                 }
+ 
+                 l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
+-                ++l_tcp->m_nb_mct_records;
+         }
+ 
+         if (l_mct_data->m_data) {
+@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
+ 
+         l_mct_data->m_data_size = p_header_size;
+ 
++        if (new_mct_records) {
++                ++l_tcp->m_nb_mct_records;
++        }
+         return OPJ_TRUE;
+ }
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 2c8d93c1d0..283daf609f 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -32,4 +32,5 @@ Local Modifications:
 0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc().
 0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile.
 0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr.
+0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free.
 TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 6346c21907..d4dd65827c 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -5170,10 +5170,11 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
                 ++l_mct_data;
         }
 
+        opj_mct_data_t *new_mct_records = NULL;
+
         /* NOT FOUND */
         if (i == l_tcp->m_nb_mct_records) {
                 if (l_tcp->m_nb_mct_records == l_tcp->m_nb_max_mct_records) {
-                        opj_mct_data_t *new_mct_records;
                         l_tcp->m_nb_max_mct_records += OPJ_J2K_MCT_DEFAULT_NB_RECORDS;
 
                         new_mct_records = (opj_mct_data_t *) opj_realloc(l_tcp->m_mct_records, l_tcp->m_nb_max_mct_records * sizeof(opj_mct_data_t));
@@ -5191,7 +5192,6 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
                 }
 
                 l_mct_data = l_tcp->m_mct_records + l_tcp->m_nb_mct_records;
-                ++l_tcp->m_nb_mct_records;
         }
 
         if (l_mct_data->m_data) {
@@ -5221,6 +5221,9 @@ static OPJ_BOOL opj_j2k_read_mct (      opj_j2k_t *p_j2k,
 
         l_mct_data->m_data_size = p_header_size;
 
+        if (new_mct_records) {
+                ++l_tcp->m_nb_mct_records;
+        }
         return OPJ_TRUE;
 }
 
-- 
cgit v1.2.3