Google Git
Sign in
pdfium/pdfium.git/refs/heads/chromium/4953^!/.
commit
c227ae53ba7c9e07da1186522cd705cef1ff4ea3
[log]
author
Lei Zhang <thestig@chromium.org>
Fri Mar 18 21:16:55 2022 +0000
committer
Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fri Mar 18 21:16:55 2022 +0000
tree
b80dab56ba858414988b489d028324c3c07eab95
parent
9e8026220be0f2ce97c26ed0791c3c2d6c59bb1e [diff]
Cherry pick another OpenJPEG fix for a DWT integer overflow.

Apply OpenJPEG's commit 1462e9403fb7d1186e999701dfe72980262a089c to the
local copy of OpenJPEG.

Bug: chromium:1307852
Change-Id: I5148987e055132549d4ac83f27746dd372c885f9
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/91650
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/third_party/libopenjpeg20/0042-dwt_overflows.patch b/third_party/libopenjpeg20/0042-dwt_overflows.patch
new file mode 100644
index 0000000..9ad27ae
--- /dev/null
+++ b/third_party/libopenjpeg20/0042-dwt_overflows.patch

@@ -0,0 +1,20 @@
+commit 1462e9403fb7d1186e999701dfe72980262a089c
+Author: Even Rouault <even.rouault@spatialys.com>
+Date:   Thu Feb 10 14:30:13 2022 +0100
+
+    Avoid integer overflows in DWT. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44544
+
+diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
+index 2b9b9e92..abc500ec 100644
+--- a/src/lib/openjp2/dwt.c
++++ b/src/lib/openjp2/dwt.c
+@@ -801,7 +801,8 @@ static void opj_idwt3_v_cas0(OPJ_INT32* tmp,
+                                       opj_int_add_no_overflow(opj_int_add_no_overflow(d1c, d1n), 2) >> 2);
+ 
+         tmp[i  ] = s0c;
+-        tmp[i + 1] = d1c + ((s0c + s0n) >> 1);
++        tmp[i + 1] = opj_int_add_no_overflow(d1c, opj_int_add_no_overflow(s0c,
++                                             s0n) >> 1);
+     }
+ 
+     tmp[i] = s0n;

diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 30bbd34..d6127b0 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium

@@ -30,3 +30,4 @@
 0039-opj_mqc_renorme.patch: Remove unused opj_mqc_renorme().
 0040-dwt_overflows.patch: Avoid integer overflows in DWT.
 0041-remove_opj_clock.patch: Remove unused opj_clock.h include.
+0042-dwt_overflows.patch: Avoid integer overflows in DWT.

diff --git a/third_party/libopenjpeg20/dwt.c b/third_party/libopenjpeg20/dwt.c
index 67a0b9f..063a689 100644
--- a/third_party/libopenjpeg20/dwt.c
+++ b/third_party/libopenjpeg20/dwt.c

@@ -806,7 +806,8 @@
                                       opj_int_add_no_overflow(opj_int_add_no_overflow(d1c, d1n), 2) >> 2);
 
         tmp[i  ] = s0c;
-        tmp[i + 1] = d1c + ((s0c + s0n) >> 1);
+        tmp[i + 1] = opj_int_add_no_overflow(d1c, opj_int_add_no_overflow(s0c,
+                                             s0n) >> 1);
     }
 
     tmp[i] = s0n;