From d53e6fdb0a86ca1ddb12876a60f7f2d7508b5349 Mon Sep 17 00:00:00 2001 From: Bo Xu Date: Tue, 30 Sep 2014 11:12:05 -0700 Subject: Update openjpeg BUG=407964, 414182, 413447 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/589243004 --- core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c | 29 +++++++++++++++------- 1 file changed, 20 insertions(+), 9 deletions(-) (limited to 'core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c') diff --git a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c index de054acc54..f2a7c9a57c 100644 --- a/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c +++ b/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c @@ -218,7 +218,7 @@ OPJ_BOOL opj_t2_encode_packets( opj_t2_t* p_t2, opj_image_t *l_image = p_t2->image; opj_cp_t *l_cp = p_t2->cp; opj_tcp_t *l_tcp = &l_cp->tcps[p_tile_no]; - OPJ_UINT32 pocno = l_cp->m_specific_param.m_enc.m_cinema == OPJ_CINEMA4K_24? 2: 1; + OPJ_UINT32 pocno = (l_cp->rsiz == OPJ_PROFILE_CINEMA_4K)? 2: 1; OPJ_UINT32 l_max_comp = l_cp->m_specific_param.m_enc.m_max_comp_size > 0 ? l_image->numcomps : 1; OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1; @@ -477,11 +477,10 @@ OPJ_BOOL opj_t2_decode_packets( opj_t2_t *p_t2, opj_t2_t* opj_t2_create(opj_image_t *p_image, opj_cp_t *p_cp) { /* create the t2 structure */ - opj_t2_t *l_t2 = (opj_t2_t*)opj_malloc(sizeof(opj_t2_t)); + opj_t2_t *l_t2 = (opj_t2_t*)opj_calloc(1,sizeof(opj_t2_t)); if (!l_t2) { return NULL; } - memset(l_t2,0,sizeof(opj_t2_t)); l_t2->image = p_image; l_t2->cp = p_cp; @@ -599,6 +598,10 @@ OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno, } bio = opj_bio_create(); + if (!bio) { + /* FIXME event manager error callback */ + return OPJ_FALSE; + } opj_bio_init_enc(bio, c, length); opj_bio_write(bio, 1, 1); /* Empty header bit */ @@ -863,11 +866,10 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2, if (p_tcp->csty & J2K_CP_CSTY_SOP) { if (p_max_length < 6) { /* TODO opj_event_msg(p_t2->cinfo->event_mgr, EVT_WARNING, "Not enough space for expected SOP marker\n"); */ - printf("Not enough space for expected SOP marker\n"); + fprintf(stderr, "Not enough space for expected SOP marker\n"); } else if ((*l_current_data) != 0xff || (*(l_current_data + 1) != 0x91)) { /* TODO opj_event_msg(p_t2->cinfo->event_mgr, EVT_WARNING, "Expected SOP marker\n"); */ - printf("Expected SOP marker\n"); - fprintf(stderr, "Error : expected SOP marker\n"); + fprintf(stderr, "Warning: expected SOP marker\n"); } else { l_current_data += 6; } @@ -917,7 +919,7 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2, /* EPH markers */ if (p_tcp->csty & J2K_CP_CSTY_EPH) { - if (p_max_length < 2) { + if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data - *l_header_data_start)) < 2U) { fprintf(stderr, "Not enough space for expected EPH marker\n"); } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) { fprintf(stderr, "Error : expected EPH marker\n"); @@ -1045,7 +1047,7 @@ OPJ_BOOL opj_t2_read_packet_header( opj_t2_t* p_t2, /* EPH markers */ if (p_tcp->csty & J2K_CP_CSTY_EPH) { - if (p_max_length < 2) { + if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data - *l_header_data_start)) < 2U) { fprintf(stderr, "Not enough space for expected EPH marker\n"); } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) { /* TODO opj_event_msg(t2->cinfo->event_mgr, EVT_ERROR, "Expected EPH marker\n"); */ @@ -1129,7 +1131,8 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2, } do { - if (l_current_data + l_seg->newlen > p_src_data + p_max_length) { + /* Check possible overflow (on l_current_data only, assumes input args already checked) then size */ + if (((OPJ_SIZE_T)(l_current_data + l_seg->newlen) < (OPJ_SIZE_T)l_current_data) || (l_current_data + l_seg->newlen > p_src_data + p_max_length)) { fprintf(stderr, "read: segment too long (%d) with max (%d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n", l_seg->newlen, p_max_length, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno); return OPJ_FALSE; @@ -1154,11 +1157,18 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2, }; #endif /* USE_JPWL */ + /* Check possible overflow on size */ + if ((l_cblk->data_current_size + l_seg->newlen) < l_cblk->data_current_size) { + fprintf(stderr, "read: segment too long (%d) with current size (%d > %d) for codeblock %d (p=%d, b=%d, r=%d, c=%d)\n", + l_seg->newlen, l_cblk->data_current_size, 0xFFFFFFFF - l_seg->newlen, cblkno, p_pi->precno, bandno, p_pi->resno, p_pi->compno); + return OPJ_FALSE; + } /* Check if the cblk->data have allocated enough memory */ if ((l_cblk->data_current_size + l_seg->newlen) > l_cblk->data_max_size) { OPJ_BYTE* new_cblk_data = (OPJ_BYTE*) opj_realloc(l_cblk->data, l_cblk->data_current_size + l_seg->newlen); if(! new_cblk_data) { opj_free(l_cblk->data); + l_cblk->data = NULL; l_cblk->data_max_size = 0; /* opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to realloc code block cata!\n"); */ return OPJ_FALSE; @@ -1197,6 +1207,7 @@ OPJ_BOOL opj_t2_read_packet_data( opj_t2_t* p_t2, *(p_data_read) = (OPJ_UINT32)(l_current_data - p_src_data); + return OPJ_TRUE; } -- cgit v1.2.3