From 83ad95c4e0b220a37af078e7e4e45b199052bf2e Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Mon, 13 Jul 2015 06:34:20 -0700 Subject: Merge to XFA: Fix an integer overflow issue in openJpeg Fixing this issue for an urgent request. It should be fixed in OpenJPEG side. BUG=506763 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1231933008 . --- third_party/libopenjpeg20/pi.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/third_party/libopenjpeg20/pi.c b/third_party/libopenjpeg20/pi.c index 393a1e5540..d2ba3a14c6 100644 --- a/third_party/libopenjpeg20/pi.c +++ b/third_party/libopenjpeg20/pi.c @@ -36,6 +36,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#include #include "opj_includes.h" /** @defgroup PI PI - Implementation of a packet iterator */ @@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, l_current_pi = l_pi; /* memory allocation for include */ - l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); + l_current_pi->include = 00; + if + (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1) + { + l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16)); + } + if (!l_current_pi->include) { -- cgit v1.2.3