From a408ac86ecad7086b3af6aa04d994cc4da16f52d Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 10 Jan 2018 16:45:17 +0000
Subject: [OpenJPEG] Fix integer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: 796812
Change-Id: I857f037028ea0e74544bdc7c8cd26b4b44e64ec4
Reviewed-on: https://pdfium-review.googlesource.com/22610
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
---
 third_party/libopenjpeg20/j2k.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

(limited to 'third_party/libopenjpeg20/j2k.c')

diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 784a0620a5..cea6147096 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -9223,32 +9223,30 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
 
     l_img_comp = p_image->comps;
     for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
-        OPJ_INT32 l_h, l_w;
-
         l_img_comp->x0 = opj_uint_ceildiv(p_image->x0, l_img_comp->dx);
         l_img_comp->y0 = opj_uint_ceildiv(p_image->y0, l_img_comp->dy);
         l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx);
         l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy);
 
-        l_w = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor)
-              - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor);
-        if (l_w < 0) {
+        OPJ_INT32 l_1 = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor);
+        OPJ_INT32 l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor);
+        if (l_1 < l_2) {
             opj_event_msg(p_manager, EVT_ERROR,
-                          "Size x of the decoded component image is incorrect (comp[%d].w=%d).\n",
-                          it_comp, l_w);
+                          "Size x of the decoded component image is incorrect (comp[%d].w<0).\n",
+                          it_comp);
             return OPJ_FALSE;
         }
-        l_img_comp->w = (OPJ_UINT32)l_w;
+        l_img_comp->w = (OPJ_UINT32)(l_1-l_2);
 
-        l_h = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor)
-              - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor);
-        if (l_h < 0) {
+        l_1 = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor);
+        l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor);
+        if (l_1 < l_2) {
             opj_event_msg(p_manager, EVT_ERROR,
-                          "Size y of the decoded component image is incorrect (comp[%d].h=%d).\n",
-                          it_comp, l_h);
+                          "Size y of the decoded component image is incorrect (comp[%d].h<0).\n",
+                          it_comp);
             return OPJ_FALSE;
         }
-        l_img_comp->h = (OPJ_UINT32)l_h;
+        l_img_comp->h = (OPJ_UINT32)(l_1-l_2);
 
         l_img_comp++;
     }
-- 
cgit v1.2.3