commit 341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec
author Nicolas Pena <npm@chromium.org> Thu Jan 19 12:42:20 2017 -0500
committer Chromium commit bot <commit-bot@chromium.org> Thu Jan 19 18:32:40 2017 +0000
tree 2d90abe61ac7c2ae5cada27563b7eb325fe6858e
parent 95bec8046a28928df627ce4d48eee8b209b3e36e

Return error in opj_j2k_read_header_procedure if l_marker_size < 2

If we do not do this check, it will overflow to a huge unsigned int, so
we will allocate a lot of memory etc.

BUG=682182

Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff
Reviewed-on: https://pdfium-review.googlesource.com/2272
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

third_party/libopenjpeg20/0024-l_marker_size_check.patch

diff --git a/third_party/libopenjpeg20/0024-l_marker_size_check.patch b/third_party/libopenjpeg20/0024-l_marker_size_check.patch
new file mode 100644
index 0000000..cb020c9
--- /dev/null
+++ b/third_party/libopenjpeg20/0024-l_marker_size_check.patch
@@ -0,0 +1,15 @@
+diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
+index 45187e8e6..5de89cf0e 100644
+--- a/third_party/libopenjpeg20/j2k.c
++++ b/third_party/libopenjpeg20/j2k.c
+@@ -7195,6 +7195,10 @@ static OPJ_BOOL opj_j2k_read_header_procedure( opj_j2k_t *p_j2k,
+ 
+                 /* read 2 bytes as the marker size */
+                 opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2);
++                if (l_marker_size < 2) {
++                        opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n");
++                        return OPJ_FALSE;
++                }
+                 l_marker_size -= 2; /* Subtract the size of the marker ID already read */
+ 
+                 /* Check if the marker size is compatible with the header data size */

third_party/libopenjpeg20/README.pdfium

diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 283daf6..0f45337 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -33,4 +33,5 @@
 0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile.
 0022-jp2_apply_pclr_overflow.patch: Prevent integer overflow in opj_jp2_apply_pclr.
 0023-opj_j2k_read_mct_records.patch: Fix opj_j2k_read to prevent heap-use-after-free.
+0024-l_marker_size_check.patch: Return error before overflow in opj_j2k_read_header_procedure.
 TODO(thestig): List all the other patches.

third_party/libopenjpeg20/j2k.c

diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 45187e8..5de89cf 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -7195,6 +7195,10 @@
 
                 /* read 2 bytes as the marker size */
                 opj_read_bytes(p_j2k->m_specific_param.m_decoder.m_header_data,&l_marker_size,2);
+                if (l_marker_size < 2) {
+                        opj_event_msg(p_manager, EVT_ERROR, "Invalid marker size\n");
+                        return OPJ_FALSE;
+                }
                 l_marker_size -= 2; /* Subtract the size of the marker ID already read */
 
                 /* Check if the marker size is compatible with the header data size */