From e13ad88925bde037f4ed3b60f9ea5f01b883aa6e Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Tue, 28 Feb 2017 18:24:29 -0500 Subject: LibOpenJPEG upstream: check size in opj_j2k_read_siz This happens to fix the bug in question but I suspect they still do not have enough checks to prevent undefined shifts. Patch: https://github.com/uclouvain/openjpeg/pull/762/commits/5afb4d0546dd1b0a162b4e895cfdcfa4b32f1180 BUG=694042 Change-Id: I9466eb2b095f07233517ff5f1bcb0c2437be78ac Reviewed-on: https://pdfium-review.googlesource.com/2888 Commit-Queue: dsinclair Reviewed-by: dsinclair --- ...8-upstream-check-size-in-opj_j2k_read_siz.patch | 22 ++++++++++++++++++++++ third_party/libopenjpeg20/README.pdfium | 1 + third_party/libopenjpeg20/j2k.c | 8 +++++++- 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 third_party/libopenjpeg20/0028-upstream-check-size-in-opj_j2k_read_siz.patch diff --git a/third_party/libopenjpeg20/0028-upstream-check-size-in-opj_j2k_read_siz.patch b/third_party/libopenjpeg20/0028-upstream-check-size-in-opj_j2k_read_siz.patch new file mode 100644 index 0000000000..22d5562a77 --- /dev/null +++ b/third_party/libopenjpeg20/0028-upstream-check-size-in-opj_j2k_read_siz.patch @@ -0,0 +1,22 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index e77edd22b..cb5a28373 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -2117,10 +2117,16 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k, + if( l_img_comp->dx < 1 || l_img_comp->dx > 255 || + l_img_comp->dy < 1 || l_img_comp->dy > 255 ) { + opj_event_msg(p_manager, EVT_ERROR, +- "Invalid values for comp = %d : dx=%u dy=%u\n (should be between 1 and 255 according the JPEG2000 norm)", ++ "Invalid values for comp = %d : dx=%u dy=%u (should be between 1 and 255 according to the JPEG2000 norm)\n", + i, l_img_comp->dx, l_img_comp->dy); + return OPJ_FALSE; + } ++ if( l_img_comp->prec > 38) { /* TODO openjpeg won't handle more than ? */ ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Invalid values for comp = %d : prec=%u (should be between 1 and 38 according to the JPEG2000 norm)\n", ++ i, l_img_comp->prec); ++ return OPJ_FALSE; ++ } + + #ifdef USE_JPWL + if (l_cp->correct) { diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index ea8f5239ba..6c2a3c74ba 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -37,4 +37,5 @@ Local Modifications: 0025-opj_j2k_add_mct_null_data.patch: Check m_data != null before trying to read from it. 0026-use_opj_uint_ceildiv.patch: Remove (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b). 0027-undefined-shift-opj_t1_decode_cblk.patch: upstream fix for a ubsan bug. +0028-upstream-check-size-in-opj_j2k_read_siz.patch: upstream patch in j2k.c. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c index e77edd22b8..cb5a283732 100644 --- a/third_party/libopenjpeg20/j2k.c +++ b/third_party/libopenjpeg20/j2k.c @@ -2117,10 +2117,16 @@ static OPJ_BOOL opj_j2k_read_siz(opj_j2k_t *p_j2k, if( l_img_comp->dx < 1 || l_img_comp->dx > 255 || l_img_comp->dy < 1 || l_img_comp->dy > 255 ) { opj_event_msg(p_manager, EVT_ERROR, - "Invalid values for comp = %d : dx=%u dy=%u\n (should be between 1 and 255 according the JPEG2000 norm)", + "Invalid values for comp = %d : dx=%u dy=%u (should be between 1 and 255 according to the JPEG2000 norm)\n", i, l_img_comp->dx, l_img_comp->dy); return OPJ_FALSE; } + if( l_img_comp->prec > 38) { /* TODO openjpeg won't handle more than ? */ + opj_event_msg(p_manager, EVT_ERROR, + "Invalid values for comp = %d : prec=%u (should be between 1 and 38 according to the JPEG2000 norm)\n", + i, l_img_comp->prec); + return OPJ_FALSE; + } #ifdef USE_JPWL if (l_cp->correct) { -- cgit v1.2.3