From ff74356915d4c7f7c6eb16de1e9f403da4ecb6d5 Mon Sep 17 00:00:00 2001 From: gogil Date: Thu, 4 Aug 2016 16:48:04 -0700 Subject: openjpeg: Prevent integer overflows during calculation of |l_nb_code_blocks_size| BUG=628890 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/2212973002 --- third_party/libopenjpeg20/tcd.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'third_party/libopenjpeg20/tcd.c') diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c index cd1c43921d..9270efe399 100644 --- a/third_party/libopenjpeg20/tcd.c +++ b/third_party/libopenjpeg20/tcd.c @@ -939,8 +939,15 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn); l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn); + if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) { + return OPJ_FALSE; + } l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch; /*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch); */ + + if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) { + return OPJ_FALSE; + } l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block; if (! l_current_precinct->cblks.blocks) { -- cgit v1.2.3