From ff74356915d4c7f7c6eb16de1e9f403da4ecb6d5 Mon Sep 17 00:00:00 2001 From: gogil Date: Thu, 4 Aug 2016 16:48:04 -0700 Subject: openjpeg: Prevent integer overflows during calculation of |l_nb_code_blocks_size| BUG=628890 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/2212973002 --- AUTHORS | 1 + third_party/libopenjpeg20/0019-tcd_init_tile.patch | 30 ++++++++++++++++++++++ third_party/libopenjpeg20/README.pdfium | 1 + third_party/libopenjpeg20/tcd.c | 7 +++++ 4 files changed, 39 insertions(+) create mode 100644 third_party/libopenjpeg20/0019-tcd_init_tile.patch diff --git a/AUTHORS b/AUTHORS index 142576870f..17a0c601de 100644 --- a/AUTHORS +++ b/AUTHORS @@ -16,6 +16,7 @@ Chery Cherian Chris Palmer Dan Sinclair Finnur Thorarinsson +GiWan Go Jiang Jiang Jochen Eisinger John Abd-El-Malek diff --git a/third_party/libopenjpeg20/0019-tcd_init_tile.patch b/third_party/libopenjpeg20/0019-tcd_init_tile.patch new file mode 100644 index 0000000000..d8e18facc9 --- /dev/null +++ b/third_party/libopenjpeg20/0019-tcd_init_tile.patch @@ -0,0 +1,30 @@ +diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium +index a9e289d..b1012af 100644 +--- a/third_party/libopenjpeg20/README.pdfium ++++ b/third_party/libopenjpeg20/README.pdfium +@@ -28,4 +28,5 @@ Local Modifications: + 0016-read_SQcd_SQcc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_SQcd_SQcc. + 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|. + 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size. ++0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|. + TODO(thestig): List all the other patches. +diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c +index cd1c439..9270efe 100644 +--- a/third_party/libopenjpeg20/tcd.c ++++ b/third_party/libopenjpeg20/tcd.c +@@ -939,8 +939,15 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn); + l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn); + ++ if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) { ++ return OPJ_FALSE; ++ } + l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch; + /*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch); */ ++ ++ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) { ++ return OPJ_FALSE; ++ } + l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block; + + if (! l_current_precinct->cblks.blocks) { diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index a9e289d10e..b1012af7bd 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -28,4 +28,5 @@ Local Modifications: 0016-read_SQcd_SQcc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_SQcd_SQcc. 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|. 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size. +0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c index cd1c43921d..9270efe399 100644 --- a/third_party/libopenjpeg20/tcd.c +++ b/third_party/libopenjpeg20/tcd.c @@ -939,8 +939,15 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn); l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn); + if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) { + return OPJ_FALSE; + } l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch; /*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch); */ + + if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) { + return OPJ_FALSE; + } l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block; if (! l_current_precinct->cblks.blocks) { -- cgit v1.2.3