Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(120)

Side by Side Diff: third_party/libopenjpeg20/dwt.c

Issue 2218783002: openjpeg: Prevent overflows when using opj_aligned_malloc() (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: update the .patch file Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libopenjpeg20/README.pdfium ('k') | third_party/libopenjpeg20/t1.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * The copyright in this software is being made available under the 2-clauses 2 * The copyright in this software is being made available under the 2-clauses
3 * BSD License, included below. This software may be subject to other third 3 * BSD License, included below. This software may be subject to other third
4 * party and contributor rights, including patent rights, and no such rights 4 * party and contributor rights, including patent rights, and no such rights
5 * are granted under this license. 5 * are granted under this license.
6 * 6 *
7 * Copyright (c) 2002-2014, Universite catholique de Louvain (UCL), Belgium 7 * Copyright (c) 2002-2014, Universite catholique de Louvain (UCL), Belgium
8 * Copyright (c) 2002-2014, Professor Benoit Macq 8 * Copyright (c) 2002-2014, Professor Benoit Macq
9 * Copyright (c) 2001-2003, David Janssens 9 * Copyright (c) 2001-2003, David Janssens
10 * Copyright (c) 2002-2003, Yannick Verschueren 10 * Copyright (c) 2002-2003, Yannick Verschueren
(...skipping 558 matching lines...) Expand 10 before | Expand all | Expand 10 after
569 opj_dwt_t v; 569 opj_dwt_t v;
570 570
571 opj_tcd_resolution_t* tr = tilec->resolutions; 571 opj_tcd_resolution_t* tr = tilec->resolutions;
572 572
573 OPJ_UINT32 rw = (OPJ_UINT32)(tr->x1 - tr->x0); /* width of the resoluti on level computed */ 573 OPJ_UINT32 rw = (OPJ_UINT32)(tr->x1 - tr->x0); /* width of the resoluti on level computed */
574 OPJ_UINT32 rh = (OPJ_UINT32)(tr->y1 - tr->y0); /* height of the resolut ion level computed */ 574 OPJ_UINT32 rh = (OPJ_UINT32)(tr->y1 - tr->y0); /* height of the resolut ion level computed */
575 575
576 OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0); 576 OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
577 577
578 h.mem_count = opj_dwt_max_resolution(tr, numres); 578 h.mem_count = opj_dwt_max_resolution(tr, numres);
579 if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < (OPJ_UINT32)h.mem _count) {
580 return OPJ_FALSE;
581 }
579 h.mem = (OPJ_INT32*)opj_aligned_malloc(h.mem_count * sizeof(OPJ_INT32)); 582 h.mem = (OPJ_INT32*)opj_aligned_malloc(h.mem_count * sizeof(OPJ_INT32));
580 if (! h.mem){ 583 if (! h.mem){
581 /* FIXME event manager error callback */ 584 /* FIXME event manager error callback */
582 return OPJ_FALSE; 585 return OPJ_FALSE;
583 } 586 }
584 587
585 v.mem_count = h.mem_count; 588 v.mem_count = h.mem_count;
586 v.mem = h.mem; 589 v.mem = h.mem;
587 590
588 while( --numres) { 591 while( --numres) {
(...skipping 254 matching lines...) Expand 10 before | Expand all | Expand 10 after
843 opj_v4dwt_t h; 846 opj_v4dwt_t h;
844 opj_v4dwt_t v; 847 opj_v4dwt_t v;
845 848
846 opj_tcd_resolution_t* res = tilec->resolutions; 849 opj_tcd_resolution_t* res = tilec->resolutions;
847 850
848 OPJ_UINT32 rw = (OPJ_UINT32)(res->x1 - res->x0); /* width of the resolution level computed */ 851 OPJ_UINT32 rw = (OPJ_UINT32)(res->x1 - res->x0); /* width of the resolution level computed */
849 OPJ_UINT32 rh = (OPJ_UINT32)(res->y1 - res->y0); /* height of the resolution level computed */ 852 OPJ_UINT32 rh = (OPJ_UINT32)(res->y1 - res->y0); /* height of the resolution level computed */
850 853
851 OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0); 854 OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
852 855
853 » h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t)); 856 » OPJ_UINT32 mr = opj_dwt_max_resolution(res, numres);
857
858 » if (mr >= ((OPJ_UINT32)-5)) {
859 » » return OPJ_FALSE;
860 » }
861 » mr += 5;
862
863 » if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_v4_t) < mr) {
864 » » return OPJ_FALSE;
865 » }
866 » h.wavelet = (opj_v4_t*) opj_aligned_malloc(mr * sizeof(opj_v4_t));
854 if (!h.wavelet) { 867 if (!h.wavelet) {
855 /* FIXME event manager error callback */ 868 /* FIXME event manager error callback */
856 return OPJ_FALSE; 869 return OPJ_FALSE;
857 } 870 }
858 v.wavelet = h.wavelet; 871 v.wavelet = h.wavelet;
859 872
860 while( --numres) { 873 while( --numres) {
861 OPJ_FLOAT32 * restrict aj = (OPJ_FLOAT32*) tilec->data; 874 OPJ_FLOAT32 * restrict aj = (OPJ_FLOAT32*) tilec->data;
862 OPJ_UINT32 bufsize = (OPJ_UINT32)((tilec->x1 - tilec->x0) * (til ec->y1 - tilec->y0)); 875 OPJ_UINT32 bufsize = (OPJ_UINT32)((tilec->x1 - tilec->x0) * (til ec->y1 - tilec->y0));
863 OPJ_INT32 j; 876 OPJ_INT32 j;
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after
929 942
930 for(k = 0; k < rh; ++k){ 943 for(k = 0; k < rh; ++k){
931 memcpy(&aj[k*w], &v.wavelet[k], (size_t)j * size of(OPJ_FLOAT32)); 944 memcpy(&aj[k*w], &v.wavelet[k], (size_t)j * size of(OPJ_FLOAT32));
932 } 945 }
933 } 946 }
934 } 947 }
935 948
936 opj_aligned_free(h.wavelet); 949 opj_aligned_free(h.wavelet);
937 return OPJ_TRUE; 950 return OPJ_TRUE;
938 } 951 }
OLDNEW
« no previous file with comments | « third_party/libopenjpeg20/README.pdfium ('k') | third_party/libopenjpeg20/t1.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698