From d8cc503575463ff3d81b22dad292665f2c88911e Mon Sep 17 00:00:00 2001
From: ochang <ochang@chromium.org>
Date: Mon, 25 Jul 2016 15:09:34 -0700
Subject: Fix an integer overflow in opj_tcd_get_decoded_tile_size().

Based on suggested patch by reporter.
BUG=629919

Review-Url: https://codereview.chromium.org/2182683002
---
 third_party/libopenjpeg20/j2k.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'third_party/libopenjpeg20/j2k.c')

diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index b5f6fe90f5..6346c21907 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -8028,6 +8028,10 @@ OPJ_BOOL opj_j2k_read_tile_header(      opj_j2k_t * p_j2k,
         *p_tile_index = p_j2k->m_current_tile_number;
         *p_go_on = OPJ_TRUE;
         *p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
+        if (*p_data_size == (OPJ_UINT32)-1) {
+                return OPJ_FALSE;
+        }
+
         *p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
         *p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
         *p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
-- 
cgit v1.2.3