Fix an integer overflow issue in openJpeg
authorJUN FANG <jun_fang@foxitsoftware.com>
Mon, 13 Jul 2015 13:34:20 +0000 (06:34 -0700)
committerJUN FANG <jun_fang@foxitsoftware.com>
Mon, 13 Jul 2015 13:34:20 +0000 (06:34 -0700)
Fixing this issue for an urgent request. It should be fixed in OpenJPEG side.

BUG=506763
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1231933008 .

third_party/libopenjpeg20/pi.c

index 393a1e5..d2ba3a1 100644 (file)
@@ -36,6 +36,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include <limits.h>
 #include "opj_includes.h"
 
 /** @defgroup PI PI - Implementation of a packet iterator */
@@ -1236,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
        l_current_pi = l_pi;
 
        /* memory allocation for include */
-       l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+       l_current_pi->include = 00;
+       if
+               (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1)
+       {
+               l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers + 1) * l_step_l, sizeof(OPJ_INT16));
+       }
+
        if
                (!l_current_pi->include)
        {