From b20ab6c7acb3be1393461eb650ca8fa4660c937e Mon Sep 17 00:00:00 2001
From: gogil <gogil@stealien.com>
Date: Thu, 4 Aug 2016 22:43:10 -0700
Subject: openjpeg: Prevent overflows when using opj_aligned_malloc()

BUG=628304
R=thestig@chromium.org, ochang@chromium.org

Review-Url: https://codereview.chromium.org/2218783002
---
 third_party/libopenjpeg20/t1.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'third_party/libopenjpeg20/t1.c')

diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
index 108ce78b60..a119db1f76 100644
--- a/third_party/libopenjpeg20/t1.c
+++ b/third_party/libopenjpeg20/t1.c
@@ -1173,6 +1173,9 @@ static OPJ_BOOL opj_t1_allocate_buffers(
 	if (!t1->encoder) {
 		if(datasize > t1->datasize){
 			opj_aligned_free(t1->data);
+			if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < datasize) {
+				return OPJ_FALSE;
+			}
 			t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * sizeof(OPJ_INT32));
 			if(!t1->data){
 				/* FIXME event manager error callback */
@@ -1187,6 +1190,9 @@ static OPJ_BOOL opj_t1_allocate_buffers(
 
 	if(flagssize > t1->flagssize){
 		opj_aligned_free(t1->flags);
+		if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_flag_t) < flagssize) {
+			return OPJ_FALSE;
+		}
 		t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
 		if(!t1->flags){
 			/* FIXME event manager error callback */
-- 
cgit v1.2.3