Fix a crash in CFXMEM_FixedMgr::AllocLarge
authorfoxit <jun_fang@foxitsoftware.com>
Sat, 21 Jun 2014 00:03:04 +0000 (17:03 -0700)
committerfoxit <jun_fang@foxitsoftware.com>
Sat, 21 Jun 2014 00:03:04 +0000 (17:03 -0700)
BUG=382243
R=palmer@chromium.org

Review URL: https://codereview.chromium.org/333213002

core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/tcd.c

index 94feb17..c108675 100644 (file)
@@ -775,6 +775,8 @@ OPJ_BOOL FUNCTION (     opj_tcd_t *p_tcd,                        \
                         /* p. 35, table A-23, ISO/IEC FDIS154444-1 : 2000 (18 august 2000) */                                                                                                                     \
                         l_pdx = l_tccp->prcw[resno];                                                                                                                                                              \
                         l_pdy = l_tccp->prch[resno];                                                                                                                                                              \
+                        if (l_pdx == 0 || l_pdy == 0)                                                                                                                                                                \
+                            return OPJ_FALSE;                                                                                                                                                                     \
                         /*fprintf(stderr, "\t\t\tpdx=%d, pdy=%d\n", l_pdx, l_pdy);*/                                                                                                                              \
                         /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */                                                                                                                            \
                         l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;                                                                                                                           \