From 2ddf1ccbf8c0596c0ba994114420a50fca2240f3 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Thu, 8 Jun 2017 15:09:35 -0400
Subject: Guard against undefined shifting in JPX decoder

If the prec value in syncc444_to_rgb is more then 30 then when we shift
left we'll go negative. The subsequent -1 will cause an overflow. This
CL early returns if the prec value is > 30.

Bug: chromium:728321
Change-Id: I4d25e9bab840bc6d46f8db3490c9484392cd7a32
Reviewed-on: https://pdfium-review.googlesource.com/6414
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 core/fxcodec/codec/fx_codec_jpx_opj.cpp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'core/fxcodec')

diff --git a/core/fxcodec/codec/fx_codec_jpx_opj.cpp b/core/fxcodec/codec/fx_codec_jpx_opj.cpp
index 9627025164..74ab5f277d 100644
--- a/core/fxcodec/codec/fx_codec_jpx_opj.cpp
+++ b/core/fxcodec/codec/fx_codec_jpx_opj.cpp
@@ -162,6 +162,9 @@ static void sycc_to_rgb(int offset,
 
 static void sycc444_to_rgb(opj_image_t* img) {
   int prec = img->comps[0].prec;
+  // If we shift 31 we're going to go negative, then things go bad.
+  if (prec > 30)
+    return;
   int offset = 1 << (prec - 1);
   int upb = (1 << prec) - 1;
   OPJ_UINT32 maxw =
-- 
cgit v1.2.3