commit 83e6b42d10bd8482de0ba6def14ad46c4d8850f9
author Lei Zhang <thestig@chromium.org> Tue Sep 16 12:40:39 2025 -0700
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Sep 16 12:40:39 2025 -0700
tree bbd71408f94c55dc63cde766cf0a2685fccfcf04
parent 9552d486d31aea15bbea953590f52fa5a1bd9452

Cherry-pick OpenJPEG patch for CVE-2025-54874

Cherry-pick a commit from upstream OpenJPEG:

https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d

Bug: 445128546
Change-Id: Ie402da715c8342cd948c41c5d44b3edbec29e33c
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/135731
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

third_party/libopenjpeg/0049-check_after_parsing.patch

diff --git a/third_party/libopenjpeg/0049-check_after_parsing.patch b/third_party/libopenjpeg/0049-check_after_parsing.patch
new file mode 100644
index 0000000..8448324
--- /dev/null
+++ b/third_party/libopenjpeg/0049-check_after_parsing.patch
@@ -0,0 +1,35 @@
+commit f809b80c67717c152a5ad30bf06774f00da4fd2d
+Author: Sebastian Rasmussen <sebras@gmail.com>
+Date:   Thu Jan 16 02:13:43 2025 +0100
+
+    opj_jp2_read_header: Check for error after parsing header.
+    
+    Consider the case where the caller has not set the p_image
+    pointer to NULL before calling opj_read_header().
+    
+    If opj_j2k_read_header_procedure() fails while obtaining the rest
+    of the marker segment when calling opj_stream_read_data() because
+    the data stream is too short, then opj_j2k_read_header() will
+    never have the chance to initialize p_image, leaving it
+    uninitialized.
+    
+    opj_jp2_read_header() will check the p_image value whether
+    opj_j2k_read_header() suceeded or failed. This may be detected as
+    an error in valgrind or ASAN.
+    
+    The fix is to check whether opj_j2k_read_header() suceeded before
+    using the output argument p_image.
+
+diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
+index 4df055a5..da506318 100644
+--- a/src/lib/openjp2/jp2.c
++++ b/src/lib/openjp2/jp2.c
+@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream,
+                               p_image,
+                               p_manager);
+ 
+-    if (p_image && *p_image) {
++    if (ret && p_image && *p_image) {
+         /* Set Image Color Space */
+         if (jp2->enumcs == 16) {
+             (*p_image)->color_space = OPJ_CLRSPC_SRGB;

third_party/libopenjpeg/README.pdfium

diff --git a/third_party/libopenjpeg/README.pdfium b/third_party/libopenjpeg/README.pdfium
index 3a0dc1b..921be5a 100644
--- a/third_party/libopenjpeg/README.pdfium
+++ b/third_party/libopenjpeg/README.pdfium
@@ -32,3 +32,4 @@
 0039-opj_mqc_renorme.patch: Remove unused opj_mqc_renorme().
 0041-remove_opj_clock.patch: Remove unused opj_clock.h include.
 0046-func-ptr-mixup.patch: Prevent mixing up function pointer types.
+0049-check_after_parsing.patch: Check for error after parsing header.

third_party/libopenjpeg/jp2.c

diff --git a/third_party/libopenjpeg/jp2.c b/third_party/libopenjpeg/jp2.c
index 6b4d5db..af3b38f 100644
--- a/third_party/libopenjpeg/jp2.c
+++ b/third_party/libopenjpeg/jp2.c
@@ -2899,7 +2899,7 @@
                               p_image,
                               p_manager);
 
-    if (p_image && *p_image) {
+    if (ret && p_image && *p_image) {
         /* Set Image Color Space */
         if (jp2->enumcs == 16) {
             (*p_image)->color_space = OPJ_CLRSPC_SRGB;