M80: Avoid an integer overflow in OpenJPEG.
Patch in upstream commit 05f9b91e60debda0e83977e5e63b2e66486f7074.
TBR=tsepez@chromium.org
Bug: chromium:1047097
Change-Id: Ia9c3c9f3b130f87f47c5aaf5c3640c8008900ce4
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/65830
Auto-Submit: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 65137d177ac2f6c1591a1f6e8b8809936bfd088d)
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/66290
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/third_party/libopenjpeg20/0037-tcd_init_tile.patch b/third_party/libopenjpeg20/0037-tcd_init_tile.patch
new file mode 100644
index 0000000..e38a7ec
--- /dev/null
+++ b/third_party/libopenjpeg20/0037-tcd_init_tile.patch
@@ -0,0 +1,31 @@
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index 2ae211ef4..9e98f04ab 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
+ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+ l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++ (OPJ_INT32)l_pdx)) << l_pdx;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_x_end = (OPJ_INT32)tmp;
++ }
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++ (OPJ_INT32)l_pdy)) << l_pdy;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_y_end = (OPJ_INT32)tmp;
++ }
+ /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+
+ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium
index e812f13..2a13a61 100644
--- a/third_party/libopenjpeg20/README.pdfium
+++ b/third_party/libopenjpeg20/README.pdfium
@@ -28,3 +28,4 @@
0034-opj_malloc.patch: PDFium changes in opj_malloc.
0035-opj_image_data_free.patch: Use the right free function in opj_jp2_apply_pclr.
0036-opj_j2k_update_image_dimensions.patch: fix integer overflow.
+0037-tcd_init_tile.patch: Avoid integer overflow in opj_tcd_init_tile().
diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
index 2ae211e..9e98f04 100644
--- a/third_party/libopenjpeg20/tcd.c
+++ b/third_party/libopenjpeg20/tcd.c
@@ -910,8 +910,24 @@
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+ (OPJ_INT32)l_pdx)) << l_pdx;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_x_end = (OPJ_INT32)tmp;
+ }
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+ (OPJ_INT32)l_pdy)) << l_pdy;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_y_end = (OPJ_INT32)tmp;
+ }
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
