From e8200e94898f7e8f50c11bb8b7b39d96b01bd653 Mon Sep 17 00:00:00 2001 From: Jun Fang Date: Tue, 15 Dec 2015 11:51:06 +0800 Subject: Fix a dividing zero bug in opj_tcd_init_tile() BUG=541446 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1520203002 . --- third_party/libopenjpeg20/0006-tcd_init_tile.patch | 16 ++++++++++++++++ third_party/libopenjpeg20/README.pdfium | 1 + third_party/libopenjpeg20/tcd.c | 5 ++++- 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 third_party/libopenjpeg20/0006-tcd_init_tile.patch diff --git a/third_party/libopenjpeg20/0006-tcd_init_tile.patch b/third_party/libopenjpeg20/0006-tcd_init_tile.patch new file mode 100644 index 0000000000..6c00f4096b --- /dev/null +++ b/third_party/libopenjpeg20/0006-tcd_init_tile.patch @@ -0,0 +1,16 @@ +diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c +index 2fccff1..aebe9be 100644 +--- a/third_party/libopenjpeg20/tcd.c ++++ b/third_party/libopenjpeg20/tcd.c +@@ -727,7 +727,10 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + l_tilec->x1 = opj_int_ceildiv(l_tile->x1, (OPJ_INT32)l_image_comp->dx); + l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy); + /*fprintf(stderr, "\tTile compo border = %d,%d,%d,%d\n", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/ +- ++ if (l_tilec->x0 >= l_tilec->x1 || l_tilec->y0 >= l_tilec->y1) { ++ opj_event_msg(manager, EVT_ERROR, "Invalid tile data\n"); ++ return OPJ_FALSE; ++ } + /* compute l_data_size with overflow check */ + l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0); + if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) { diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 67f2f6e500..e3d61e891c 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -15,4 +15,5 @@ Local Modifications: 0003-dwt-decode.patch: Check array bounds for opj_dwt_decode_1() and friends. 0004-j2k_read_mcc.patch: Move incrementing of l_tcp->m_nb_mcc_records to the right place. 0005-jp2_apply_pclr.patch: Fix out of bounds access. +0006-tcd_init_tile.patch: Fix a dividing zero bug in opj_tcd_init_tile(). TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c index 2fccff1c9c..aebe9be96c 100644 --- a/third_party/libopenjpeg20/tcd.c +++ b/third_party/libopenjpeg20/tcd.c @@ -727,7 +727,10 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_tilec->x1 = opj_int_ceildiv(l_tile->x1, (OPJ_INT32)l_image_comp->dx); l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy); /*fprintf(stderr, "\tTile compo border = %d,%d,%d,%d\n", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/ - + if (l_tilec->x0 >= l_tilec->x1 || l_tilec->y0 >= l_tilec->y1) { + opj_event_msg(manager, EVT_ERROR, "Invalid tile data\n"); + return OPJ_FALSE; + } /* compute l_data_size with overflow check */ l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0); if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) { -- cgit v1.2.3