Check more headers in OpenJPEG.
Patch in upstream commit f3ee448815eb992b8d4746e32c05e8289f30415f.
Bug: chromium:1114577
Change-Id: I93310327f8906b0cc7b428f5674ad541aeb1273a
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/72614
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/third_party/libopenjpeg20/0038-opj_j2k_validate_param.patch b/third_party/libopenjpeg20/0038-opj_j2k_validate_param.patch
new file mode 100644
index 0000000..9431d82
--- /dev/null
+++ b/third_party/libopenjpeg20/0038-opj_j2k_validate_param.patch
@@ -0,0 +1,30 @@
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 59b2bbb7..43be7677 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -2698,6 +2698,12 @@ static OPJ_BOOL opj_j2k_read_cod(opj_j2k_t *p_j2k,
+ opj_read_bytes(p_header_data, &l_tcp->mct, 1); /* SGcod (C) */
+ ++p_header_data;
+
++ if (l_tcp->mct > 1) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Invalid multiple component transformation\n");
++ return OPJ_FALSE;
++ }
++
+ p_header_size -= 5;
+ for (i = 0; i < l_image->numcomps; ++i) {
+ l_tcp->tccps[i].csty = l_tcp->csty & J2K_CCP_CSTY_PRT;
+@@ -9792,6 +9798,12 @@ static OPJ_BOOL opj_j2k_read_SPCod_SPCoc(opj_j2k_t *p_j2k,
+ opj_read_bytes(l_current_ptr, &l_tccp->qmfbid, 1);
+ ++l_current_ptr;
+
++ if (l_tccp->qmfbid > 1) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Error reading SPCod SPCoc element, Invalid transformation found\n");
++ return OPJ_FALSE;
++ }
++
+ *p_header_size = *p_header_size - 5;
+
+ /* use custom precinct size ? */
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index 2a13a61..08f6007 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -29,3 +29,4 @@
0035-opj_image_data_free.patch: Use the right free function in opj_jp2_apply_pclr.
0036-opj_j2k_update_image_dimensions.patch: fix integer overflow.
0037-tcd_init_tile.patch: Avoid integer overflow in opj_tcd_init_tile().
+0038-opj_j2k_validate_param.patch: Validate all SGcod/SPcod/SPcoc parameter values.
diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c
index 690b533..c647374 100644
--- a/third_party/libopenjpeg20/j2k.c
+++ b/third_party/libopenjpeg20/j2k.c
@@ -2710,6 +2710,12 @@
opj_read_bytes(p_header_data, &l_tcp->mct, 1); /* SGcod (C) */
++p_header_data;
+ if (l_tcp->mct > 1) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Invalid multiple component transformation\n");
+ return OPJ_FALSE;
+ }
+
p_header_size -= 5;
for (i = 0; i < l_image->numcomps; ++i) {
l_tcp->tccps[i].csty = l_tcp->csty & J2K_CCP_CSTY_PRT;
@@ -9808,6 +9814,12 @@
opj_read_bytes(l_current_ptr, &l_tccp->qmfbid, 1); /* SPcoc (H) */
++l_current_ptr;
+ if (l_tccp->qmfbid > 1) {
+ opj_event_msg(p_manager, EVT_ERROR,
+ "Error reading SPCod SPCoc element, Invalid transformation found\n");
+ return OPJ_FALSE;
+ }
+
*p_header_size = *p_header_size - 5;
/* use custom precinct size ? */