From b6befb2ed2485a3805cddea86dc7574510178ea9 Mon Sep 17 00:00:00 2001 From: ochang Date: Mon, 8 Aug 2016 16:52:28 -0700 Subject: openjpeg: Prevent negative x, y values in opj_tcd_init_tile BUG=632622 Review-Url: https://codereview.chromium.org/2223303002 --- .../libopenjpeg20/0021-tcd_init_tile_negative.patch | 21 +++++++++++++++++++++ third_party/libopenjpeg20/README.pdfium | 1 + third_party/libopenjpeg20/tcd.c | 7 +++++++ 3 files changed, 29 insertions(+) create mode 100644 third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch diff --git a/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch new file mode 100644 index 0000000000..33694f81fc --- /dev/null +++ b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch @@ -0,0 +1,21 @@ +diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c +index 9270efe..06eee4e 100644 +--- a/third_party/libopenjpeg20/tcd.c ++++ b/third_party/libopenjpeg20/tcd.c +@@ -706,9 +706,16 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ + l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); + l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); ++ if (l_tile->x0 < 0 || l_tile->x1 < 0) { ++ return OPJ_FALSE; ++ } ++ + l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ + l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); + l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); ++ if (l_tile->y0 < 0 || l_tile->y1 < 0) { ++ return OPJ_FALSE; ++ } + + /* testcase 1888.pdf.asan.35.988 */ + if (l_tccp->numresolutions == 0) { diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index a40ed7ba3f..7779044799 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -30,4 +30,5 @@ Local Modifications: 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size. 0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|. 0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc(). +0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c index 9270efe399..06eee4ebd5 100644 --- a/third_party/libopenjpeg20/tcd.c +++ b/third_party/libopenjpeg20/tcd.c @@ -706,9 +706,16 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); + if (l_tile->x0 < 0 || l_tile->x1 < 0) { + return OPJ_FALSE; + } + l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); + if (l_tile->y0 < 0 || l_tile->y1 < 0) { + return OPJ_FALSE; + } /* testcase 1888.pdf.asan.35.988 */ if (l_tccp->numresolutions == 0) { -- cgit v1.2.3