Google Git
Sign in
pdfium / pdfium.git / 2a2ee0f1ca747929acaf1b4f2eadbf7c8e8025e6^! / .
commit2a2ee0f1ca747929acaf1b4f2eadbf7c8e8025e6[log] [tgz]
authorNicolas Pena <npm@chromium.org>Thu May 11 11:12:33 2017 -0400
committerChromium commit bot <commit-bot@chromium.org>Thu May 11 16:09:22 2017 +0000
tree39fd6639ff73cbb69f4c8e47291578d71f19f554
parent4da1e7623c52572bc8677ac53b908f39543f13b1 [diff]
LibOpenJPEG: undefined shift in opj_t1_dec_clnpass

bpno_plus_one is used as a parameter bpno for a bunch of methods that calculate
1 << bpno. Thus, use a reduced value when it's large enough to cause undefined
shift. bpno_plus_one itself remains unchanged so that the number of calls
remains the same

Bug: chromium:698526
Change-Id: I40431d41a04f3e2315bd3c80114cd0fcbd2815b4
Reviewed-on: https://pdfium-review.googlesource.com/5310
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

diff --git a/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch b/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch
new file mode 100644
index 0000000..58f04b0
--- /dev/null
+++ b/third_party/libopenjpeg20/0033-undefined-shift-opj_t1_dec_clnpass.patch

@@ -0,0 +1,14 @@
+diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
+index 1ad850c77..d290c38d5 100644
+--- a/third_party/libopenjpeg20/t1.c
++++ b/third_party/libopenjpeg20/t1.c
+@@ -1387,6 +1387,9 @@ static OPJ_BOOL opj_t1_decode_cblk(opj_t1_t *t1,
+        }
+ 
+        bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps);
++    if (bpno_plus_one > 30) {
++        return OPJ_FALSE;
++    }
+        passtype = 2;
+ 
+        opj_mqc_resetstates(mqc);

diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index cae9a9a..a90f28b 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium

@@ -42,4 +42,5 @@
 0030-undefined-shift-opj_get_all_encoding_parameters.patch: fix undefined shift in pi.c method.
 0031-undefined-shift-opj_bio_read.patch: fix undefined shift in bio.c method.
 0032-undefined-shift-opj_j2k_read_siz.patch: fix undefined shift in j2k.c method.
+0033-undefined-shift-opj_t1_dec_clnpass.patch: fix undefined shifts originated from opj_t1_decode_cblk.
 TODO(thestig): List all the other patches.

diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
index 1ad850c..d290c38 100644
--- a/third_party/libopenjpeg20/t1.c
+++ b/third_party/libopenjpeg20/t1.c

@@ -1387,6 +1387,9 @@
 	}
 
 	bpno_plus_one = (OPJ_INT32)(roishift + cblk->numbps);
+    if (bpno_plus_one > 30) {
+        return OPJ_FALSE;
+    }
 	passtype = 2;
 
 	opj_mqc_resetstates(mqc);