OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch b/th
ird_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch |
| 2 new file mode 100644 |
| 3 index 0000000..e69de29 |
| 4 diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20
/README.pdfium |
| 5 index 97e6e8c..a9e289d 100644 |
| 6 --- a/third_party/libopenjpeg20/README.pdfium |
| 7 +++ b/third_party/libopenjpeg20/README.pdfium |
| 8 @@ -27,4 +27,5 @@ Local Modifications: |
| 9 0015-read_SPCod_SPCoc_overflow.patch: Prevent a buffer overflow in opj_j2k_read
_SPCod_SPCoc. |
| 10 0016-read_SQcd_SQcc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_S
Qcd_SQcc. |
| 11 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb
_precinct_size|. |
| 12 +0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_de
coded_tile_size. |
| 13 TODO(thestig): List all the other patches. |
| 14 diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c |
| 15 index b5f6fe9..6346c21 100644 |
| 16 --- a/third_party/libopenjpeg20/j2k.c |
| 17 +++ b/third_party/libopenjpeg20/j2k.c |
| 18 @@ -8028,6 +8028,10 @@ OPJ_BOOL opj_j2k_read_tile_header( opj_j2k_t * p_j2k
, |
| 19 *p_tile_index = p_j2k->m_current_tile_number; |
| 20 *p_go_on = OPJ_TRUE; |
| 21 *p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd); |
| 22 + if (*p_data_size == (OPJ_UINT32)-1) { |
| 23 + return OPJ_FALSE; |
| 24 + } |
| 25 + |
| 26 *p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0; |
| 27 *p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0; |
| 28 *p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1; |
| 29 diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c |
| 30 index 673633c..cd1c439 100644 |
| 31 --- a/third_party/libopenjpeg20/tcd.c |
| 32 +++ b/third_party/libopenjpeg20/tcd.c |
| 33 @@ -1150,6 +1150,7 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size ( opj_tcd_t *p_tc
d ) |
| 34 opj_tcd_tilecomp_t * l_tile_comp = 00; |
| 35 opj_tcd_resolution_t * l_res = 00; |
| 36 OPJ_UINT32 l_size_comp, l_remaining; |
| 37 + OPJ_UINT32 l_temp; |
| 38 |
| 39 l_tile_comp = p_tcd->tcd_image->tiles->comps; |
| 40 l_img_comp = p_tcd->image->comps; |
| 41 @@ -1167,7 +1168,18 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size ( opj_tcd_t *p_t
cd ) |
| 42 } |
| 43 |
| 44 l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_res
olutions - 1; |
| 45 - l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x
0) * (l_res->y1 - l_res->y0)); |
| 46 + l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_
res->y0)); /* x1*y1 can't overflow */ |
| 47 + |
| 48 + if (l_size_comp && ((OPJ_UINT32)-1) / l_size_comp < l_temp) { |
| 49 + return (OPJ_UINT32)-1; |
| 50 + } |
| 51 + l_temp *= l_size_comp; |
| 52 + |
| 53 + if (l_temp > ((OPJ_UINT32)-1) - l_data_size) { |
| 54 + return (OPJ_UINT32)-1; |
| 55 + } |
| 56 + l_data_size += l_temp; |
| 57 + |
| 58 ++l_img_comp; |
| 59 ++l_tile_comp; |
| 60 } |
| 61 @@ -1362,7 +1374,7 @@ OPJ_BOOL opj_tcd_update_tile_data ( opj_tcd_t *p_tcd, |
| 62 OPJ_UINT32 l_stride, l_width,l_height; |
| 63 |
| 64 l_data_size = opj_tcd_get_decoded_tile_size(p_tcd); |
| 65 - if (l_data_size > p_dest_length) { |
| 66 + if (l_data_size == (OPJ_UINT32)-1 || l_data_size > p_dest_length) { |
| 67 return OPJ_FALSE; |
| 68 } |
| 69 |
OLD | NEW |