summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2020-02-07 21:19:48 +0000
committerMichael Brüning <michael.bruning@qt.io>2020-03-10 15:48:58 +0000
commitedd82d1d7ced0744c5086cfbe0cff4051dc5fee5 (patch)
treeb813aae14dd7e0e72db08345e6f23a3c9ff2a696
parent5043a049628bbc0c28e00e40e87744efc96a8472 (diff)
downloadqtwebengine-chromium-edd82d1d7ced0744c5086cfbe0cff4051dc5fee5.tar.gz
[Backport] Security bug 1047097
Cherry-pick of patch originally reviewed on https://pdfium-review.googlesource.com/c/pdfium/+/65830 https://pdfium-review.googlesource.com/c/pdfium/+/66290: M80: Avoid an integer overflow in OpenJPEG. Patch in upstream commit 05f9b91e60debda0e83977e5e63b2e66486f7074. TBR=tsepez@chromium.org Bug: chromium:1047097 Change-Id: Ia9c3c9f3b130f87f47c5aaf5c3640c8008900ce4 Auto-Submit: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> (cherry picked from commit 65137d177ac2f6c1591a1f6e8b8809936bfd088d) Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat
-rw-r--r--chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch31
-rw-r--r--chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium1
-rw-r--r--chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c20
3 files changed, 50 insertions, 2 deletions
diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch b/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch
new file mode 100644
index 00000000000..e38a7ec8712
--- /dev/null
+++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch
@@ -0,0 +1,31 @@
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index 2ae211ef4..9e98f04ab 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+ /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
+ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+ l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++ (OPJ_INT32)l_pdx)) << l_pdx;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_x_end = (OPJ_INT32)tmp;
++ }
++ {
++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++ (OPJ_INT32)l_pdy)) << l_pdy;
++ if (tmp > (OPJ_UINT32)INT_MAX) {
++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++ return OPJ_FALSE;
++ }
++ l_br_prc_y_end = (OPJ_INT32)tmp;
++ }
+ /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+
+ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium b/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium
index 45d8bec44e6..8fc5d4be278 100644
--- a/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium
+++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium
@@ -29,3 +29,4 @@ Local Modifications:
0034-opj_malloc.patch: PDFium changes in opj_malloc.
0035-opj_image_data_free.patch: Use the right free function in opj_jp2_apply_pclr.
0036-opj_j2k_update_image_dimensions.patch: fix integer overflow.
+0037-tcd_init_tile.patch: Avoid integer overflow in opj_tcd_init_tile().
diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c b/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c
index 2ae211ef45a..9e98f04ab8b 100644
--- a/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c
+++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c
@@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+ (OPJ_INT32)l_pdx)) << l_pdx;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_x_end = (OPJ_INT32)tmp;
+ }
+ {
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+ (OPJ_INT32)l_pdy)) << l_pdy;
+ if (tmp > (OPJ_UINT32)INT_MAX) {
+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+ return OPJ_FALSE;
+ }
+ l_br_prc_y_end = (OPJ_INT32)tmp;
+ }
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
View Lorry Controller Status