| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * The copyright in this software is being made available under the 2-clauses | 2 * The copyright in this software is being made available under the 2-clauses |
| 3 * BSD License, included below. This software may be subject to other third | 3 * BSD License, included below. This software may be subject to other third |
| 4 * party and contributor rights, including patent rights, and no such rights | 4 * party and contributor rights, including patent rights, and no such rights |
| 5 * are granted under this license. | 5 * are granted under this license. |
| 6 * | 6 * |
| 7 * Copyright (c) 2002-2014, Universite catholique de Louvain (UCL), Belgium | 7 * Copyright (c) 2002-2014, Universite catholique de Louvain (UCL), Belgium |
| 8 * Copyright (c) 2002-2014, Professor Benoit Macq | 8 * Copyright (c) 2002-2014, Professor Benoit Macq |
| 9 * Copyright (c) 2001-2003, David Janssens | 9 * Copyright (c) 2001-2003, David Janssens |
| 10 * Copyright (c) 2002-2003, Yannick Verschueren | 10 * Copyright (c) 2002-2003, Yannick Verschueren |
| (...skipping 954 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 965 OPJ_UINT16 i, nr_channels, cmp, pcol; | 965 OPJ_UINT16 i, nr_channels, cmp, pcol; |
| 966 OPJ_INT32 k, top_k; | 966 OPJ_INT32 k, top_k; |
| 967 | 967 |
| 968 channel_size = color->jp2_pclr->channel_size; | 968 channel_size = color->jp2_pclr->channel_size; |
| 969 channel_sign = color->jp2_pclr->channel_sign; | 969 channel_sign = color->jp2_pclr->channel_sign; |
| 970 entries = color->jp2_pclr->entries; | 970 entries = color->jp2_pclr->entries; |
| 971 cmap = color->jp2_pclr->cmap; | 971 cmap = color->jp2_pclr->cmap; |
| 972 nr_channels = color->jp2_pclr->nr_channels; | 972 nr_channels = color->jp2_pclr->nr_channels; |
| 973 | 973 |
| 974 old_comps = image->comps; | 974 old_comps = image->comps; |
| 975 /* Overflow check: prevent integer overflow */ |
| 976 for (i = 0; i < nr_channels; ++i) { |
| 977 cmp = cmap[i].cmp; |
| 978 if (old_comps[cmp].h == 0 || old_comps[cmp].w > ((OPJ_UINT32)-1)
/ sizeof(OPJ_INT32) / old_comps[cmp].h) { |
| 979 return; |
| 980 } |
| 981 } |
| 982 |
| 975 new_comps = (opj_image_comp_t*) | 983 new_comps = (opj_image_comp_t*) |
| 976 opj_malloc(nr_channels * sizeof(opj_image_comp_t)); | 984 opj_malloc(nr_channels * sizeof(opj_image_comp_t)); |
| 977 if (!new_comps) { | 985 if (!new_comps) { |
| 978 /* FIXME no error code for opj_jp2_apply_pclr */ | 986 /* FIXME no error code for opj_jp2_apply_pclr */ |
| 979 /* FIXME event manager error callback */ | 987 /* FIXME event manager error callback */ |
| 980 return; | 988 return; |
| 981 } | 989 } |
| 982 for(i = 0; i < nr_channels; ++i) { | 990 for(i = 0; i < nr_channels; ++i) { |
| 983 pcol = cmap[i].pcol; cmp = cmap[i].cmp; | 991 pcol = cmap[i].pcol; cmp = cmap[i].cmp; |
| 984 | 992 |
| (...skipping 19 matching lines...) Expand all Loading... |
| 1004 new_comps[i].prec = channel_size[i]; | 1012 new_comps[i].prec = channel_size[i]; |
| 1005 new_comps[i].sgnd = channel_sign[i]; | 1013 new_comps[i].sgnd = channel_sign[i]; |
| 1006 } | 1014 } |
| 1007 | 1015 |
| 1008 top_k = color->jp2_pclr->nr_entries - 1; | 1016 top_k = color->jp2_pclr->nr_entries - 1; |
| 1009 | 1017 |
| 1010 for(i = 0; i < nr_channels; ++i) { | 1018 for(i = 0; i < nr_channels; ++i) { |
| 1011 /* Palette mapping: */ | 1019 /* Palette mapping: */ |
| 1012 cmp = cmap[i].cmp; pcol = cmap[i].pcol; | 1020 cmp = cmap[i].cmp; pcol = cmap[i].pcol; |
| 1013 src = old_comps[cmp].data; | 1021 src = old_comps[cmp].data; |
| 1014 assert( src ); | 1022 » » dst = new_comps[i].data; |
| 1015 max = new_comps[i].w * new_comps[i].h; | 1023 max = new_comps[i].w * new_comps[i].h; |
| 1016 | 1024 |
| 1025 /* Prevent null pointer access */ |
| 1026 if (!src || !dst) { |
| 1027 for (j = 0; j < nr_channels; ++j) { |
| 1028 opj_free(new_comps[j].data); |
| 1029 } |
| 1030 opj_free(new_comps); |
| 1031 new_comps = NULL; |
| 1032 return; |
| 1033 } |
| 1034 |
| 1017 /* Direct use: */ | 1035 /* Direct use: */ |
| 1018 if(cmap[i].mtyp == 0) { | 1036 if(cmap[i].mtyp == 0) { |
| 1019 assert( cmp == 0 ); // probably wrong. | 1037 assert( cmp == 0 ); // probably wrong. |
| 1020 dst = new_comps[i].data; | |
| 1021 assert( dst ); | |
| 1022 for(j = 0; j < max; ++j) { | 1038 for(j = 0; j < max; ++j) { |
| 1023 dst[j] = src[j]; | 1039 dst[j] = src[j]; |
| 1024 } | 1040 } |
| 1025 } | 1041 } |
| 1026 else { | 1042 else { |
| 1027 assert( i == pcol ); // probably wrong? | 1043 assert( i == pcol ); // probably wrong? |
| 1028 dst = new_comps[i].data; | |
| 1029 assert( dst ); | |
| 1030 for(j = 0; j < max; ++j) { | 1044 for(j = 0; j < max; ++j) { |
| 1031 /* The index */ | 1045 /* The index */ |
| 1032 if((k = src[j]) < 0) k = 0; else if(k > top_k) k = top_k; | 1046 if((k = src[j]) < 0) k = 0; else if(k > top_k) k = top_k; |
| 1033 | 1047 |
| 1034 /* The colour */ | 1048 /* The colour */ |
| 1035 dst[j] = (OPJ_INT32)entries[k * nr_channels + pcol]; | 1049 dst[j] = (OPJ_INT32)entries[k * nr_channels + pcol]; |
| 1036 } | 1050 } |
| 1037 } | 1051 } |
| 1038 } | 1052 } |
| 1039 | 1053 |
| (...skipping 2114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3154 len = opj_stream_tell(cio)-lenp; | 3168 len = opj_stream_tell(cio)-lenp; |
| 3155 opj_stream_skip(cio, lenp, p_manager); | 3169 opj_stream_skip(cio, lenp, p_manager); |
| 3156 opj_write_bytes(l_data_header,len,4);/* L */ | 3170 opj_write_bytes(l_data_header,len,4);/* L */ |
| 3157 opj_stream_write_data(cio,l_data_header,4,p_manager); | 3171 opj_stream_write_data(cio,l_data_header,4,p_manager); |
| 3158 opj_stream_seek(cio, lenp+len,p_manager); | 3172 opj_stream_seek(cio, lenp+len,p_manager); |
| 3159 | 3173 |
| 3160 return len; | 3174 return len; |
| 3161 } | 3175 } |
| 3162 #endif | 3176 #endif |
| 3163 #endif /* USE_JPIP */ | 3177 #endif /* USE_JPIP */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2270343002:
openjpeg: Prevent an integer overflow in opj_jp2_apply_pclr. (Closed)
Base URL: https://pdfium.googlesource.com/pdfium.git@master