Merge to XFA: Fix a crashier due to images with abnormal size
authorJUN FANG <jun_fang@foxitsoftware.com>
Tue, 21 Apr 2015 16:58:09 +0000 (09:58 -0700)
committerJUN FANG <jun_fang@foxitsoftware.com>
Tue, 21 Apr 2015 17:41:25 +0000 (10:41 -0700)
BUG=453553
R=thestig@chromium.org, tsepez@chromium.org

Review URL: https://codereview.chromium.org/1093323003

core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c

index f944ad1..73dc5ab 100644 (file)
@@ -8008,14 +8008,18 @@ OPJ_BOOL opj_j2k_update_image_data (opj_tcd_t * p_tcd, OPJ_BYTE * p_data, opj_im
         l_img_comp_dest = p_output_image->comps;
 
         for (i=0; i<l_image_src->numcomps; i++) {
-
                 /* Allocate output component buffer if necessary */
                 if (!l_img_comp_dest->data) {
-
-                        l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_img_comp_dest->w * l_img_comp_dest->h, sizeof(OPJ_INT32));
-                        if (! l_img_comp_dest->data) {
-                                return OPJ_FALSE;
-                        }
+                    OPJ_UINT32 width = l_img_comp_dest->w;
+                    OPJ_UINT32 height = l_img_comp_dest->h;
+                    const OPJ_UINT32 MAX_SIZE = UINT32_MAX / sizeof(OPJ_INT32);
+                    if (height == 0 || width > MAX_SIZE / height) {
+                        return OPJ_FALSE;
+                    } 
+                    l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(width * height, sizeof(OPJ_INT32));
+                    if (!l_img_comp_dest->data) {
+                        return OPJ_FALSE;
+                    }
                 }
 
                 /* Copy info from decoded comp image to output image */