openjpeg: Prevent overflows when using opj_aligned_malloc()
BUG=628304
R=thestig@chromium.org, ochang@chromium.org
Review-Url: https://codereview.chromium.org/2218783002
diff --git a/third_party/libopenjpeg20/0020-opj_aligned_malloc.patch b/third_party/libopenjpeg20/0020-opj_aligned_malloc.patch
new file mode 100644
index 0000000..7de6e96
--- /dev/null
+++ b/third_party/libopenjpeg20/0020-opj_aligned_malloc.patch
@@ -0,0 +1,67 @@
+diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
+index b1012af..a40ed7b 100644
+--- a/third_party/libopenjpeg20/README.pdfium
++++ b/third_party/libopenjpeg20/README.pdfium
+@@ -29,4 +29,5 @@ Local Modifications:
+ 0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|.
+ 0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size.
+ 0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|.
++0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc().
+ TODO(thestig): List all the other patches.
+diff --git a/third_party/libopenjpeg20/dwt.c b/third_party/libopenjpeg20/dwt.c
+index 3b92bdf..a666d1c 100644
+--- a/third_party/libopenjpeg20/dwt.c
++++ b/third_party/libopenjpeg20/dwt.c
+@@ -576,6 +576,9 @@ static OPJ_BOOL opj_dwt_decode_tile(const opj_tcd_tilecomp_t* tilec, OPJ_UINT32
+ OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
+
+ h.mem_count = opj_dwt_max_resolution(tr, numres);
++ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < (OPJ_UINT32)h.mem_count) {
++ return OPJ_FALSE;
++ }
+ h.mem = (OPJ_INT32*)opj_aligned_malloc(h.mem_count * sizeof(OPJ_INT32));
+ if (! h.mem){
+ /* FIXME event manager error callback */
+@@ -850,7 +853,17 @@ OPJ_BOOL opj_dwt_decode_real(opj_tcd_tilecomp_t* restrict tilec, OPJ_UINT32 numr
+
+ OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
+
+- h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
++ OPJ_UINT32 mr = opj_dwt_max_resolution(res, numres);
++
++ if (mr >= ((OPJ_UINT32)-5)) {
++ return OPJ_FALSE;
++ }
++ mr += 5;
++
++ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_v4_t) < mr) {
++ return OPJ_FALSE;
++ }
++ h.wavelet = (opj_v4_t*) opj_aligned_malloc(mr * sizeof(opj_v4_t));
+ if (!h.wavelet) {
+ /* FIXME event manager error callback */
+ return OPJ_FALSE;
+diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
+index 108ce78..a119db1 100644
+--- a/third_party/libopenjpeg20/t1.c
++++ b/third_party/libopenjpeg20/t1.c
+@@ -1173,6 +1173,9 @@ static OPJ_BOOL opj_t1_allocate_buffers(
+ if (!t1->encoder) {
+ if(datasize > t1->datasize){
+ opj_aligned_free(t1->data);
++ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < datasize) {
++ return OPJ_FALSE;
++ }
+ t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * sizeof(OPJ_INT32));
+ if(!t1->data){
+ /* FIXME event manager error callback */
+@@ -1187,6 +1190,9 @@ static OPJ_BOOL opj_t1_allocate_buffers(
+
+ if(flagssize > t1->flagssize){
+ opj_aligned_free(t1->flags);
++ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_flag_t) < flagssize) {
++ return OPJ_FALSE;
++ }
+ t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
+ if(!t1->flags){
+ /* FIXME event manager error callback */
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index b1012af..a40ed7b 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -29,4 +29,5 @@
0017-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_precinct_size|.
0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size.
0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|.
+0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc().
TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/dwt.c b/third_party/libopenjpeg20/dwt.c
index 3b92bdf..1bcb108 100644
--- a/third_party/libopenjpeg20/dwt.c
+++ b/third_party/libopenjpeg20/dwt.c
@@ -576,6 +576,9 @@
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
h.mem_count = opj_dwt_max_resolution(tr, numres);
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < (OPJ_UINT32)h.mem_count) {
+ return OPJ_FALSE;
+ }
h.mem = (OPJ_INT32*)opj_aligned_malloc(h.mem_count * sizeof(OPJ_INT32));
if (! h.mem){
/* FIXME event manager error callback */
@@ -850,7 +853,17 @@
OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);
- h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
+ OPJ_UINT32 mr = opj_dwt_max_resolution(res, numres);
+
+ if (mr >= ((OPJ_UINT32)-5)) {
+ return OPJ_FALSE;
+ }
+ mr += 5;
+
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_v4_t) < mr) {
+ return OPJ_FALSE;
+ }
+ h.wavelet = (opj_v4_t*) opj_aligned_malloc(mr * sizeof(opj_v4_t));
if (!h.wavelet) {
/* FIXME event manager error callback */
return OPJ_FALSE;
diff --git a/third_party/libopenjpeg20/t1.c b/third_party/libopenjpeg20/t1.c
index 108ce78..a119db1 100644
--- a/third_party/libopenjpeg20/t1.c
+++ b/third_party/libopenjpeg20/t1.c
@@ -1173,6 +1173,9 @@
if (!t1->encoder) {
if(datasize > t1->datasize){
opj_aligned_free(t1->data);
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_INT32) < datasize) {
+ return OPJ_FALSE;
+ }
t1->data = (OPJ_INT32*) opj_aligned_malloc(datasize * sizeof(OPJ_INT32));
if(!t1->data){
/* FIXME event manager error callback */
@@ -1187,6 +1190,9 @@
if(flagssize > t1->flagssize){
opj_aligned_free(t1->flags);
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_flag_t) < flagssize) {
+ return OPJ_FALSE;
+ }
t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
if(!t1->flags){
/* FIXME event manager error callback */
