diff options
author | Lei Zhang <thestig@chromium.org> | 2020-02-07 21:19:48 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-24 08:16:30 +0000 |
commit | 1bdf6178d9a433134bd961c2027512c54bf3b61c (patch) | |
tree | 2a8214e76aae22a98581f3c450f9e40dfec83cbf | |
parent | 09277a67339d27943461b821d91170a37726fdc0 (diff) | |
download | qtwebengine-chromium-1bdf6178d9a433134bd961c2027512c54bf3b61c.tar.gz |
[Backport] Security bug 1047097
Cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/65830
https://pdfium-review.googlesource.com/c/pdfium/+/66290:
M80: Avoid an integer overflow in OpenJPEG.
Patch in upstream commit 05f9b91e60debda0e83977e5e63b2e66486f7074.
TBR=tsepez@chromium.org
Bug: chromium:1047097
Change-Id: Ia9c3c9f3b130f87f47c5aaf5c3640c8008900ce4
Auto-Submit: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 65137d177ac2f6c1591a1f6e8b8809936bfd088d)
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
3 files changed, 50 insertions, 2 deletions
diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch b/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch new file mode 100644 index 00000000000..e38a7ec8712 --- /dev/null +++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/0037-tcd_init_tile.patch @@ -0,0 +1,31 @@ +diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c +index 2ae211ef4..9e98f04ab 100644 +--- a/third_party/libopenjpeg20/tcd.c ++++ b/third_party/libopenjpeg20/tcd.c +@@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ + l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; + l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; +- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; +- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, ++ (OPJ_INT32)l_pdx)) << l_pdx; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_x_end = (OPJ_INT32)tmp; ++ } ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, ++ (OPJ_INT32)l_pdy)) << l_pdy; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_y_end = (OPJ_INT32)tmp; ++ } + /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ + + l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium b/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium index 1805000634e..41de42aa932 100644 --- a/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium +++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/README.pdfium @@ -28,3 +28,4 @@ Local Modifications: 0033-undefined-shift-opj_t1_dec_clnpass.patch: fix undefined shifts originated from opj_t1_decode_cblk. 0034-opj_malloc.patch: PDFium changes in opj_malloc. 0035-opj_j2k_update_image_dimensions.patch: fix integer overflow. +0037-tcd_init_tile.patch: Avoid integer overflow in opj_tcd_init_tile(). diff --git a/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c b/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c index 7298fa39345..986e4acc025 100644 --- a/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c +++ b/chromium/third_party/pdfium/third_party/libopenjpeg20/tcd.c @@ -910,8 +910,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; - l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; - l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, + (OPJ_INT32)l_pdx)) << l_pdx; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_x_end = (OPJ_INT32)tmp; + } + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, + (OPJ_INT32)l_pdy)) << l_pdy; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_y_end = (OPJ_INT32)tmp; + } /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( |