• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1diff --git a/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch b/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch
2new file mode 100644
3index 0000000..e69de29
4diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
5index 97e6e8c..a9e289d 100644
6--- a/third_party/libopenjpeg20/README.pdfium
7+++ b/third_party/libopenjpeg20/README.pdfium
8@@ -27,4 +27,5 @@ Local Modifications:
9 0015-read_SPCod_SPCoc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_SPCod_SPCoc.
10 0016-read_SQcd_SQcc_overflow.patch: Prevent a buffer overflow in opj_j2k_read_SQcd_SQcc.
11 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|.
12+0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size.
13 TODO(thestig): List all the other patches.
14diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
15index b5f6fe9..6346c21 100644
16--- a/third_party/libopenjpeg20/j2k.c
17+++ b/third_party/libopenjpeg20/j2k.c
18@@ -8028,6 +8028,10 @@ OPJ_BOOL opj_j2k_read_tile_header(      opj_j2k_t * p_j2k,
19         *p_tile_index = p_j2k->m_current_tile_number;
20         *p_go_on = OPJ_TRUE;
21         *p_data_size = opj_tcd_get_decoded_tile_size(p_j2k->m_tcd);
22+        if (*p_data_size == (OPJ_UINT32)-1) {
23+                return OPJ_FALSE;
24+        }
25+
26         *p_tile_x0 = p_j2k->m_tcd->tcd_image->tiles->x0;
27         *p_tile_y0 = p_j2k->m_tcd->tcd_image->tiles->y0;
28         *p_tile_x1 = p_j2k->m_tcd->tcd_image->tiles->x1;
29diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
30index 673633c..cd1c439 100644
31--- a/third_party/libopenjpeg20/tcd.c
32+++ b/third_party/libopenjpeg20/tcd.c
33@@ -1150,6 +1150,7 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size ( opj_tcd_t *p_tcd )
34         opj_tcd_tilecomp_t * l_tile_comp = 00;
35         opj_tcd_resolution_t * l_res = 00;
36         OPJ_UINT32 l_size_comp, l_remaining;
37+        OPJ_UINT32 l_temp;
38
39         l_tile_comp = p_tcd->tcd_image->tiles->comps;
40         l_img_comp = p_tcd->image->comps;
41@@ -1167,7 +1168,18 @@ OPJ_UINT32 opj_tcd_get_decoded_tile_size ( opj_tcd_t *p_tcd )
42                 }
43
44                 l_res = l_tile_comp->resolutions + l_tile_comp->minimum_num_resolutions - 1;
45-                l_data_size += l_size_comp * (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0));
46+                l_temp = (OPJ_UINT32)((l_res->x1 - l_res->x0) * (l_res->y1 - l_res->y0)); /* x1*y1 can't overflow */
47+
48+                if (l_size_comp && ((OPJ_UINT32)-1) / l_size_comp < l_temp) {
49+                        return (OPJ_UINT32)-1;
50+                }
51+                l_temp *= l_size_comp;
52+
53+                if (l_temp > ((OPJ_UINT32)-1) - l_data_size) {
54+                        return (OPJ_UINT32)-1;
55+                }
56+                l_data_size += l_temp;
57+
58                 ++l_img_comp;
59                 ++l_tile_comp;
60         }
61@@ -1362,7 +1374,7 @@ OPJ_BOOL opj_tcd_update_tile_data ( opj_tcd_t *p_tcd,
62         OPJ_UINT32 l_stride, l_width,l_height;
63
64         l_data_size = opj_tcd_get_decoded_tile_size(p_tcd);
65-        if (l_data_size > p_dest_length) {
66+        if (l_data_size == (OPJ_UINT32)-1 || l_data_size > p_dest_length) {
67                 return OPJ_FALSE;
68         }
69
70