From 7256e43c48ba5f7b1b8ee2927a52dc783a7ab3ed Mon Sep 17 00:00:00 2001
From: Antonin Descampe <antonin@gmail.com>
Date: Mon, 6 Oct 2014 21:05:21 +0000
Subject: [PATCH] [trunk] fixed PDF crash in Chrome (fixes issue 362)

---
 src/lib/openjp2/j2k.c | 9 +++++++++
 src/lib/openjp2/jp2.c | 8 +++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index f633f4fc..9b95b57e 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -3641,6 +3641,15 @@ OPJ_BOOL j2k_read_ppm_v3 (
 
                 if (p_header_size)
                 {
+                        if (p_header_size < 4) {
+                                opj_free(l_cp->ppm_data);
+                                l_cp->ppm_data = NULL;
+                                l_cp->ppm_buffer = NULL;  /* TODO: no need for a new local variable: ppm_buffer and ppm_data are enough */
+                                l_cp->ppm_len = 0;
+                                l_cp->ppm = 0;
+                                opj_event_msg(p_manager, EVT_ERROR, "Error reading PPM marker\n");
+                                return OPJ_FALSE;
+                        }
                         opj_read_bytes(p_header_data,&l_N_ppm,4);               /* N_ppm^i */
                         p_header_data+=4;
                         p_header_size-=4;
diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index b52bd445..d408d8e4 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -1843,7 +1843,7 @@ OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 			return OPJ_FALSE;
 		}
 		/* testcase 1851.pdf.SIGSEGV.ce9.948 */
-		else if	(box.length < l_nb_bytes_read) {
+        else if (box.length < l_nb_bytes_read) {
 			opj_event_msg(p_manager, EVT_ERROR, "invalid box size %d (%x)\n", box.length, box.type);
 			opj_free(l_current_data);
 			return OPJ_FALSE;
@@ -1853,6 +1853,12 @@ OPJ_BOOL opj_jp2_read_header_procedure(  opj_jp2_t *jp2,
 		l_current_data_size = box.length - l_nb_bytes_read;
 
 		if (l_current_handler != 00) {
+			if ((OPJ_OFF_T)l_current_data_size > opj_stream_get_number_byte_left(stream)) {
+				/* do not even try to malloc if we can't read */
+				opj_event_msg(p_manager, EVT_ERROR, "Invalid box size %d for box '%c%c%c%c'. Need %d bytes, %d bytes remaining \n", box.length, (OPJ_BYTE)(box.type>>24), (OPJ_BYTE)(box.type>>16), (OPJ_BYTE)(box.type>>8), (OPJ_BYTE)(box.type>>0), l_current_data_size, (OPJ_UINT32)opj_stream_get_number_byte_left(stream));
+				opj_free(l_current_data);
+				return OPJ_FALSE;
+			}
 			if (l_current_data_size > l_last_data_size) {
 				OPJ_BYTE* new_current_data = (OPJ_BYTE*)opj_realloc(l_current_data,l_current_data_size);
 				if (!new_current_data) {