From 548aff34f4c3809bde94c8a9559ee98b5cd70f84 Mon Sep 17 00:00:00 2001
From: Matthieu Darbois <mayeut@users.noreply.github.com>
Date: Fri, 21 Nov 2014 21:35:43 +0000
Subject: [PATCH] [trunk] added check for tile component data size overflow
 (fixes issue 432)

---
 src/lib/openjp2/tcd.c                   | 14 +++++++++++++-
 tests/nonregression/test_suite.ctest.in |  2 ++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index 19a0e172..31e05997 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -718,7 +718,19 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
 		l_tilec->y1 = opj_int_ceildiv(l_tile->y1, (OPJ_INT32)l_image_comp->dy);
 		/*fprintf(stderr, "\tTile compo border = %d,%d,%d,%d\n", l_tilec->x0, l_tilec->y0,l_tilec->x1,l_tilec->y1);*/
 		
-		l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0) * (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0) * (OPJ_UINT32)sizeof(OPJ_UINT32 );
+		/* compute l_data_size with overflow check */
+		l_data_size = (OPJ_UINT32)(l_tilec->x1 - l_tilec->x0);
+		if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) {
+			/* TODO event */
+			return OPJ_FALSE;
+		}
+		l_data_size = l_data_size * (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0);
+		
+		if ((((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(OPJ_UINT32)) < l_data_size) {
+			/* TODO event */
+			return OPJ_FALSE;
+		}
+		l_data_size = l_data_size * (OPJ_UINT32)sizeof(OPJ_UINT32);
 		l_tilec->numresolutions = l_tccp->numresolutions;
 		if (l_tccp->numresolutions < l_cp->m_specific_param.m_dec.m_reduce) {
 			l_tilec->minimum_num_resolutions = 1;
diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index f85326bb..def08568 100644
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -225,6 +225,8 @@ opj_decompress -i @INPUT_NR_PATH@/issue411-ycc422.jp2 -o @TEMP_PATH@/issue411-yc
 opj_decompress -i @INPUT_NR_PATH@/issue411-ycc420.jp2 -o @TEMP_PATH@/issue411-ycc420.jp2.pgx
 # issue 429 (from pdfium fuzz engine) 0 entries in PCLR box.
 !opj_decompress -i @INPUT_NR_PATH@/issue429.jp2 -o @TEMP_PATH@/issue429.jp2.pgx
+# issue 432 (from pdfium fuzz engine) Overflow in tcd tilec data size computation.
+!opj_decompress -i @INPUT_NR_PATH@/issue432.jp2 -o @TEMP_PATH@/issue432.jp2.pgx
 
 # decode with specific area
 # prec=12; nb_c=1