openjpeg: Prevent negative x, y values in opj_tcd_init_tile
BUG=632622
Review-Url: https://codereview.chromium.org/2223303002
diff --git a/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch
new file mode 100644
index 0000000..33694f8
--- /dev/null
+++ b/third_party/libopenjpeg20/0021-tcd_init_tile_negative.patch
@@ -0,0 +1,21 @@
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index 9270efe..06eee4e 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -706,9 +706,16 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */
+ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);
+ l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1);
++ if (l_tile->x0 < 0 || l_tile->x1 < 0) {
++ return OPJ_FALSE;
++ }
++
+ l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */
+ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);
+ l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1);
++ if (l_tile->y0 < 0 || l_tile->y1 < 0) {
++ return OPJ_FALSE;
++ }
+
+ /* testcase 1888.pdf.asan.35.988 */
+ if (l_tccp->numresolutions == 0) {
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index a40ed7b..7779044 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -30,4 +30,5 @@
0018-tcd_get_decoded_tile_size.patch: Fix an integer overflow in opj_tcd_get_decoded_tile_size.
0019-tcd_init_tile.patch: Prevent integer overflows during calculation of |l_nb_code_blocks_size|.
0020-opj_aligned_malloc.patch: Prevent overflows when using opj_aligned_malloc().
+0021-tcd_init_tile_negative.patch: Prevent negative x, y values in opj_tcd_init_tile.
TODO(thestig): List all the other patches.
diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
index 9270efe..06eee4e 100644
--- a/third_party/libopenjpeg20/tcd.c
+++ b/third_party/libopenjpeg20/tcd.c
@@ -706,9 +706,16 @@
l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */
l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0);
l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1);
+ if (l_tile->x0 < 0 || l_tile->x1 < 0) {
+ return OPJ_FALSE;
+ }
+
l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */
l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0);
l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1);
+ if (l_tile->y0 < 0 || l_tile->y1 < 0) {
+ return OPJ_FALSE;
+ }
/* testcase 1888.pdf.asan.35.988 */
if (l_tccp->numresolutions == 0) {
