Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(10)

Side by Side Diff: third_party/libopenjpeg20/t1.c

Issue 2218783002: openjpeg: Prevent overflows when using opj_aligned_malloc() (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: update the .patch file Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/libopenjpeg20/dwt.c ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * The copyright in this software is being made available under the 2-clauses 2 * The copyright in this software is being made available under the 2-clauses
3 * BSD License, included below. This software may be subject to other third 3 * BSD License, included below. This software may be subject to other third
4 * party and contributor rights, including patent rights, and no such rights 4 * party and contributor rights, including patent rights, and no such rights
5 * are granted under this license. 5 * are granted under this license.
6 * 6 *
7 * Copyright (c) 2002-2014, Universite catholique de Louvain (UCL), Belgium 7 * Copyright (c) 2002-2014, Universite catholique de Louvain (UCL), Belgium
8 * Copyright (c) 2002-2014, Professor Benoit Macq 8 * Copyright (c) 2002-2014, Professor Benoit Macq
9 * Copyright (c) 2001-2003, David Janssens 9 * Copyright (c) 2001-2003, David Janssens
10 * Copyright (c) 2002-2003, Yannick Verschueren 10 * Copyright (c) 2002-2003, Yannick Verschueren
(...skipping 1155 matching lines...) Expand 10 before | Expand all | Expand 10 after
1166 OPJ_UINT32 w, 1166 OPJ_UINT32 w,
1167 OPJ_UINT32 h) 1167 OPJ_UINT32 h)
1168 { 1168 {
1169 OPJ_UINT32 datasize=w * h; 1169 OPJ_UINT32 datasize=w * h;
1170 OPJ_UINT32 flagssize; 1170 OPJ_UINT32 flagssize;
1171 1171
1172 /* encoder uses tile buffer, so no need to allocate */ 1172 /* encoder uses tile buffer, so no need to allocate */
1173 if (!t1->encoder) { 1173 if (!t1->encoder) {
1174 if(datasize > t1->datasize){ 1174 if(datasize > t1->datasize){
1175 opj_aligned_free(t1->data); 1175 opj_aligned_free(t1->data);
1176 if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < d atasize) {
1177 return OPJ_FALSE;
1178 }
1176 t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * si zeof(OPJ_INT32)); 1179 t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * si zeof(OPJ_INT32));
1177 if(!t1->data){ 1180 if(!t1->data){
1178 /* FIXME event manager error callback */ 1181 /* FIXME event manager error callback */
1179 return OPJ_FALSE; 1182 return OPJ_FALSE;
1180 } 1183 }
1181 t1->datasize=datasize; 1184 t1->datasize=datasize;
1182 } 1185 }
1183 memset(t1->data,0,datasize * sizeof(OPJ_INT32)); 1186 memset(t1->data,0,datasize * sizeof(OPJ_INT32));
1184 } 1187 }
1185 t1->flags_stride=w+2; 1188 t1->flags_stride=w+2;
1186 flagssize=t1->flags_stride * (h+2); 1189 flagssize=t1->flags_stride * (h+2);
1187 1190
1188 if(flagssize > t1->flagssize){ 1191 if(flagssize > t1->flagssize){
1189 opj_aligned_free(t1->flags); 1192 opj_aligned_free(t1->flags);
1193 if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_flag_t) < flagssiz e) {
1194 return OPJ_FALSE;
1195 }
1190 t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof( opj_flag_t)); 1196 t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof( opj_flag_t));
1191 if(!t1->flags){ 1197 if(!t1->flags){
1192 /* FIXME event manager error callback */ 1198 /* FIXME event manager error callback */
1193 return OPJ_FALSE; 1199 return OPJ_FALSE;
1194 } 1200 }
1195 t1->flagssize=flagssize; 1201 t1->flagssize=flagssize;
1196 } 1202 }
1197 memset(t1->flags,0,flagssize * sizeof(opj_flag_t)); 1203 memset(t1->flags,0,flagssize * sizeof(opj_flag_t));
1198 1204
1199 t1->w=w; 1205 t1->w=w;
(...skipping 555 matching lines...) Expand 10 before | Expand all | Expand 10 after
1755 opj_mqc_setcurctx(mqc, opj_t1_getctxno_sc(flag)) ; 1761 opj_mqc_setcurctx(mqc, opj_t1_getctxno_sc(flag)) ;
1756 v = opj_mqc_decode(mqc) ^ opj_t1_getspb(flag); 1762 v = opj_mqc_decode(mqc) ^ opj_t1_getspb(flag);
1757 *datap = v ? -oneplushalf : oneplushalf; 1763 *datap = v ? -oneplushalf : oneplushalf;
1758 opj_t1_updateflags(flagsp, v, t1->flags_stride); 1764 opj_t1_updateflags(flagsp, v, t1->flags_stride);
1759 } 1765 }
1760 } 1766 }
1761 *flagsp |= T1_VISIT; 1767 *flagsp |= T1_VISIT;
1762 } 1768 }
1763 } /* VSC and BYPASS by Antonin */ 1769 } /* VSC and BYPASS by Antonin */
1764 #endif 1770 #endif
OLDNEW
« no previous file with comments | « third_party/libopenjpeg20/dwt.c ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698