From db319ec6a9330e75276b873f6027caddf2a15ec0 Mon Sep 17 00:00:00 2001 From: dsinclair Date: Mon, 12 Sep 2016 14:04:08 -0700 Subject: Verify value of prec before using The fx_codec_jpx_opj code will attempt to do a 1 << (prec - 1). If the prec value is >=32 then that shift will overflow the int value. This CL adds a check that prec is < 32 before attempting the shift. BUG=chromium:633208 Review-Url: https://codereview.chromium.org/2334823002 --- core/fxcodec/codec/fx_codec_jpx_opj.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'core/fxcodec') diff --git a/core/fxcodec/codec/fx_codec_jpx_opj.cpp b/core/fxcodec/codec/fx_codec_jpx_opj.cpp index ed9331974d..a1c38d06e9 100644 --- a/core/fxcodec/codec/fx_codec_jpx_opj.cpp +++ b/core/fxcodec/codec/fx_codec_jpx_opj.cpp @@ -231,6 +231,9 @@ static void sycc422_to_rgb(opj_image_t* img) { return; int prec = img->comps[0].prec; + if (prec <= 0 || prec >= 32) + return; + int offset = 1 << (prec - 1); int upb = (1 << prec) - 1; -- cgit v1.2.3