From edd82d1d7ced0744c5086cfbe0cff4051dc5fee5 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 7 Feb 2020 21:19:48 +0000
Subject: [Backport] Security bug 1047097
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/65830
https://pdfium-review.googlesource.com/c/pdfium/+/66290:
M80: Avoid an integer overflow in OpenJPEG.

Patch in upstream commit 05f9b91e60debda0e83977e5e63b2e66486f7074.

TBR=tsepez@chromium.org
Bug: chromium:1047097
Change-Id: Ia9c3c9f3b130f87f47c5aaf5c3640c8008900ce4
Auto-Submit: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 65137d177ac2f6c1591a1f6e8b8809936bfd088d)
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../libopenjpeg20/0037-tcd_init_tile.patch         | 31 ++++++++++++++++++++++
 .../pdfium/third_party/libopenjpeg20/README.pdfium |  1 +
 .../pdfium/third_party/libopenjpeg20/tcd.c         | 20 ++++++++++++--
 3 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch

diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch b/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch
new file mode 100644
index 00000000000..e38a7ec8712
--- /dev/null
+++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch
@@ -0,0 +1,31 @@
+diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c
+index 2ae211ef4..9e98f04ab 100644
+--- a/third_party/libopenjpeg20/tcd.c
++++ b/third_party/libopenjpeg20/tcd.c
+@@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+             /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */
+             l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
+             l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
+-            l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
+-            l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
++            {
++                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
++                                  (OPJ_INT32)l_pdx)) << l_pdx;
++                if (tmp > (OPJ_UINT32)INT_MAX) {
++                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++                    return OPJ_FALSE;
++                }
++                l_br_prc_x_end = (OPJ_INT32)tmp;
++            }
++            {
++                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
++                                  (OPJ_INT32)l_pdy)) << l_pdy;
++                if (tmp > (OPJ_UINT32)INT_MAX) {
++                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
++                    return OPJ_FALSE;
++                }
++                l_br_prc_y_end = (OPJ_INT32)tmp;
++            }
+             /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
+ 
+             l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium b/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium
index 45d8bec44e6..8fc5d4be278 100644
--- a/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium
+++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium
@@ -29,3 +29,4 @@ Local Modifications:
 0034-opj_malloc.patch: PDFium changes in opj_malloc.
 0035-opj_image_data_free.patch: Use the right free function in opj_jp2_apply_pclr.
 0036-opj_j2k_update_image_dimensions.patch: fix integer overflow.
+0037-tcd_init_tile.patch: Avoid integer overflow in opj_tcd_init_tile().
diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c b/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c
index 2ae211ef45a..9e98f04ab8b 100644
--- a/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c
+++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c
@@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
             /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */
             l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
             l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
-            l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx;
-            l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy;
+            {
+                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1,
+                                  (OPJ_INT32)l_pdx)) << l_pdx;
+                if (tmp > (OPJ_UINT32)INT_MAX) {
+                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+                    return OPJ_FALSE;
+                }
+                l_br_prc_x_end = (OPJ_INT32)tmp;
+            }
+            {
+                OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1,
+                                  (OPJ_INT32)l_pdy)) << l_pdy;
+                if (tmp > (OPJ_UINT32)INT_MAX) {
+                    opj_event_msg(manager, EVT_ERROR, "Integer overflow\n");
+                    return OPJ_FALSE;
+                }
+                l_br_prc_y_end = (OPJ_INT32)tmp;
+            }
             /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/
 
             l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((
-- 
cgit v1.2.1