From 3026f26aa69e983837d05a5477fe22e79aed0d26 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Mon, 14 Dec 2015 15:07:26 -0800 Subject: openjpeg: Fix crash in opj_jp2_apply_pclr R=tsepez@chromium.org, antonin@gmail.com, mathieu.malaterre@gmail.com BUG=554172 Review URL: https://codereview.chromium.org/1492693003 . --- .../libopenjpeg20/0005-jp2_apply_pclr.patch | 49 ++++++++++++++++++++++ third_party/libopenjpeg20/README.pdfium | 1 + third_party/libopenjpeg20/jp2.c | 14 +++---- 3 files changed, 57 insertions(+), 7 deletions(-) create mode 100644 third_party/libopenjpeg20/0005-jp2_apply_pclr.patch (limited to 'third_party') diff --git a/third_party/libopenjpeg20/0005-jp2_apply_pclr.patch b/third_party/libopenjpeg20/0005-jp2_apply_pclr.patch new file mode 100644 index 0000000000..fd3ca634ca --- /dev/null +++ b/third_party/libopenjpeg20/0005-jp2_apply_pclr.patch @@ -0,0 +1,49 @@ +diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c +index 47f83a1..6e910a9 100644 +--- a/third_party/libopenjpeg20/jp2.c ++++ b/third_party/libopenjpeg20/jp2.c +@@ -902,7 +902,7 @@ static OPJ_BOOL opj_jp2_check_color(opj_image_t *image, opj_jp2_color_t *color, + opj_event_msg(p_manager, EVT_ERROR, "Invalid component/palette index for direct mapping %d.\n", pcol); + is_sane = OPJ_FALSE; + } +- else if (pcol_usage[pcol] && cmap[i].mtyp == 1) { ++ else if (pcol_usage[pcol] && cmap[i].mtyp != 0) { + opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol); + is_sane = OPJ_FALSE; + } +@@ -982,8 +982,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) + assert( pcol == 0 ); + new_comps[i] = old_comps[cmp]; + } else { +- assert( i == pcol ); +- new_comps[pcol] = old_comps[cmp]; ++ assert( i == pcol ); // probably wrong? ++ new_comps[i] = old_comps[cmp]; + } + + /* Palette mapping: */ +@@ -1007,11 +1007,11 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) + cmp = cmap[i].cmp; pcol = cmap[i].pcol; + src = old_comps[cmp].data; + assert( src ); +- max = new_comps[pcol].w * new_comps[pcol].h; ++ max = new_comps[i].w * new_comps[i].h; + + /* Direct use: */ + if(cmap[i].mtyp == 0) { +- assert( cmp == 0 ); ++ assert( cmp == 0 ); // probably wrong. + dst = new_comps[i].data; + assert( dst ); + for(j = 0; j < max; ++j) { +@@ -1019,8 +1019,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) + } + } + else { +- assert( i == pcol ); +- dst = new_comps[pcol].data; ++ assert( i == pcol ); // probably wrong? ++ dst = new_comps[i].data; + assert( dst ); + for(j = 0; j < max; ++j) { + /* The index */ diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 728c0d8b99..67f2f6e500 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -14,4 +14,5 @@ Local Modifications: 0002-packet-iterator.patch: Fix integer overflow in opj_pi_create_decode(). 0003-dwt-decode.patch: Check array bounds for opj_dwt_decode_1() and friends. 0004-j2k_read_mcc.patch: Move incrementing of l_tcp->m_nb_mcc_records to the right place. +0005-jp2_apply_pclr.patch: Fix out of bounds access. TODO(thestig): List all the other patches. diff --git a/third_party/libopenjpeg20/jp2.c b/third_party/libopenjpeg20/jp2.c index 47f83a1abc..6e910a911a 100644 --- a/third_party/libopenjpeg20/jp2.c +++ b/third_party/libopenjpeg20/jp2.c @@ -902,7 +902,7 @@ static OPJ_BOOL opj_jp2_check_color(opj_image_t *image, opj_jp2_color_t *color, opj_event_msg(p_manager, EVT_ERROR, "Invalid component/palette index for direct mapping %d.\n", pcol); is_sane = OPJ_FALSE; } - else if (pcol_usage[pcol] && cmap[i].mtyp == 1) { + else if (pcol_usage[pcol] && cmap[i].mtyp != 0) { opj_event_msg(p_manager, EVT_ERROR, "Component %d is mapped twice.\n", pcol); is_sane = OPJ_FALSE; } @@ -982,8 +982,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) assert( pcol == 0 ); new_comps[i] = old_comps[cmp]; } else { - assert( i == pcol ); - new_comps[pcol] = old_comps[cmp]; + assert( i == pcol ); // probably wrong? + new_comps[i] = old_comps[cmp]; } /* Palette mapping: */ @@ -1007,11 +1007,11 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) cmp = cmap[i].cmp; pcol = cmap[i].pcol; src = old_comps[cmp].data; assert( src ); - max = new_comps[pcol].w * new_comps[pcol].h; + max = new_comps[i].w * new_comps[i].h; /* Direct use: */ if(cmap[i].mtyp == 0) { - assert( cmp == 0 ); + assert( cmp == 0 ); // probably wrong. dst = new_comps[i].data; assert( dst ); for(j = 0; j < max; ++j) { @@ -1019,8 +1019,8 @@ static void opj_jp2_apply_pclr(opj_image_t *image, opj_jp2_color_t *color) } } else { - assert( i == pcol ); - dst = new_comps[pcol].data; + assert( i == pcol ); // probably wrong? + dst = new_comps[i].data; assert( dst ); for(j = 0; j < max; ++j) { /* The index */ -- cgit v1.2.3