From 767aebbef641a89498deebc29369a078207b4dcc Mon Sep 17 00:00:00 2001
From: Bo Xu <bo_xu@foxitsoftware.com>
Date: Tue, 21 Oct 2014 13:05:17 -0700
Subject: Update openjpeg to r2908

BUG=414089, 414310, 414606
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/670813002
---
 core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c')

diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c
index cdd35e8c22..1a29cccfc6 100644
--- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c
+++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c
@@ -242,6 +242,11 @@ OPJ_BOOL opj_t2_encode_packets( opj_t2_t* p_t2,
                                 /* TODO MSD : check why this function cannot fail (cf. v1) */
                                 opj_pi_create_encode(l_pi, l_cp,p_tile_no,poc,l_tp_num,p_tp_pos,p_t2_mode);
 
+                                if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) {
+                                    /* TODO ADE : add an error */
+                                    opj_pi_destroy(l_pi, l_nb_pocs);
+                                    return OPJ_FALSE;
+                                }
                                 while (opj_pi_next(l_current_pi)) {
                                         if (l_current_pi->layno < p_maxlayers) {
                                                 l_nb_bytes = 0;
@@ -274,7 +279,11 @@ OPJ_BOOL opj_t2_encode_packets( opj_t2_t* p_t2,
                 opj_pi_create_encode(l_pi, l_cp,p_tile_no,p_pino,p_tp_num,p_tp_pos,p_t2_mode);
 
                 l_current_pi = &l_pi[p_pino];
-
+                if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) {
+                    /* TODO ADE : add an error */
+                    opj_pi_destroy(l_pi, l_nb_pocs);
+                    return OPJ_FALSE;
+                }
                 while (opj_pi_next(l_current_pi)) {
                         if (l_current_pi->layno < p_maxlayers) {
                                 l_nb_bytes=0;
@@ -386,6 +395,11 @@ OPJ_BOOL opj_t2_decode_packets( opj_t2_t *p_t2,
                 }
                 memset(first_pass_failed, OPJ_TRUE, l_image->numcomps * sizeof(OPJ_BOOL));
 
+                if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) {
+                    /* TODO ADE : add an error */
+                    opj_pi_destroy(l_pi, l_nb_pocs);
+                    return OPJ_FALSE;
+                }
                 while (opj_pi_next(l_current_pi)) {
                   JAS_FPRINTF( stderr, "packet offset=00000166 prg=%d cmptno=%02d rlvlno=%02d prcno=%03d lyrno=%02d\n\n",
                     l_current_pi->poc.prg1, l_current_pi->compno, l_current_pi->resno, l_current_pi->precno, l_current_pi->layno );
@@ -1265,7 +1279,8 @@ OPJ_BOOL opj_t2_skip_packet_data(   opj_t2_t* p_t2,
                         }
 
                         do {
-                                if (* p_data_read + l_seg->newlen > p_max_length) {
+                                /* Check possible overflow then size */
+                                if (((*p_data_read + l_seg->newlen) < (*p_data_read)) || ((*p_data_read + l_seg->newlen) > p_max_length)) {
                                         fprintf(stderr, "skip: segment too long (%d) with max (%d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n",
                                                 l_seg->newlen, p_max_length, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno);
                                         return OPJ_FALSE;
-- 
cgit v1.2.3