From ff74356915d4c7f7c6eb16de1e9f403da4ecb6d5 Mon Sep 17 00:00:00 2001
From: gogil <gogil@stealien.com>
Date: Thu, 4 Aug 2016 16:48:04 -0700
Subject: openjpeg: Prevent integer overflows during calculation of
 |l_nb_code_blocks_size|

BUG=628890
R=ochang@chromium.org

Review-Url: https://codereview.chromium.org/2212973002
---
 AUTHORS                                            |  1 +
 third_party/libopenjpeg20/0019-tcd_init_tile.patch | 30 ++++++++++++++++++++++
 third_party/libopenjpeg20/README.pdfium            |  1 +
 third_party/libopenjpeg20/tcd.c                    |  7 +++++
 4 files changed, 39 insertions(+)
 create mode 100644 third_party/libopenjpeg20/0019-tcd_init_tile.patch

diff --git a/AUTHORS b/AUTHORS
index 142576870f..17a0c601de 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -16,6 +16,7 @@ Chery Cherian <cherycherian@gmail.com>
 Chris Palmer <palmer@chromium.org>
 Dan Sinclair <dsinclair@chromium.org>
 Finnur Thorarinsson <finnur@chromium.org>
+GiWan Go <gogil@stealien.com>
 Jiang Jiang <jiangj@opera.com>
 Jochen Eisinger <jochen@chromium.org>
 John Abd-El-Malek <jam@chromium.org>
diff --git a/third_party/libopenjpeg20/0019-tcd_init_tile.patch b/third_party/libopenjpeg20/0019-tcd_init_tile.patch
new file mode 100644
index 0000000000..d8e18facc9
--- /dev/null
+++ b/third_party/libopenjpeg20/0019-tcd_init_tile.patch
@@ -0,0 +1,30 @@
+diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
+index a9e289d..b1012af 100644
+--- a/third_party/libopenjpeg20/README.pdfium
++++ b/third_party/libopenjpeg20/README.pdfium
+@@ -28,4 +28,5 @@ Local Modifications:
+ 0016-read_SQcd_SQcc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_SQcd_SQcc.
+ 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|.
+ 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size.
++0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|.
+ TODO(thestig): List all the other patches.
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index cd1c439..9270efe 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -939,8 +939,15 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ 					l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn);
+ 					l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn);
+ 					
++					if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) {
++						return OPJ_FALSE;
++					}
+ 					l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
+ 					/*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch);      */
++					
++					if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) {
++						return OPJ_FALSE;
++					}
+ 					l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
+ 					
+ 					if (! l_current_precinct->cblks.blocks) {
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index a9e289d10e..b1012af7bd 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -28,4 +28,5 @@ Local Modifications:
 0016-read_SQcd_SQcc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_SQcd_SQcc.
 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|.
 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size.
+0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|.
 TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
index cd1c43921d..9270efe399 100644
--- a/third_party/libopenjpeg20/tcd.c
+++ b/third_party/libopenjpeg20/tcd.c
@@ -939,8 +939,15 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
 					l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn);
 					l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn);
 					
+					if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) {
+						return OPJ_FALSE;
+					}
 					l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
 					/*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch);      */
+					
+					if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) {
+						return OPJ_FALSE;
+					}
 					l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
 					
 					if (! l_current_precinct->cblks.blocks) {
-- 
cgit v1.2.3