opj_tcd_dc_level_shift_decode(): avoid int overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2516. Credit to OSS Fuzz

2017-07-28 22:06:26 +02:00 · 2017-07-28 22:06:26 +02:00 · 361c4506fd
parent 7bdbe490cb
commit 361c4506fd
1 changed files with 9 additions and 2 deletions
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@ -1890,8 +1890,15 @@ static OPJ_BOOL opj_tcd_dc_level_shift_decode(opj_tcd_t *p_tcd)
            for (j = 0; j < l_height; ++j) {
                for (i = 0; i < l_width; ++i) {
                    OPJ_FLOAT32 l_value = *((OPJ_FLOAT32 *) l_current_ptr);
-                    *l_current_ptr = opj_int_clamp((OPJ_INT32)opj_lrintf(l_value) +
+                    OPJ_INT32 l_value_int = (OPJ_INT32)opj_lrintf(l_value);
-                                                   l_tccp->m_dc_level_shift, l_min, l_max); ;
+                    if (l_value > INT_MAX ||
                            (l_value_int > 0 && l_tccp->m_dc_level_shift > 0 &&
                             l_value_int > INT_MAX - l_tccp->m_dc_level_shift)) {
                        *l_current_ptr = l_max;
                    } else {
                        *l_current_ptr = opj_int_clamp(
                                             l_value_int + l_tccp->m_dc_level_shift, l_min, l_max);
                    }
                    ++l_current_ptr;
                }
                l_current_ptr += l_stride;