opj_t1_encode_cblks: fix UBSAN signed integer overflow

Fixes #1053 / CVE-2018-5727 Note: I don't consider this issue to be a security vulnerability, in practice. At least with gcc or clang compilers on x86_64 which generate the same assembly code with or without that fix.
2019-03-29 11:17:39 +01:00 · 2019-03-29 11:17:39 +01:00 · a1d32a596a
parent 25b815dc46
commit a1d32a596a
1 changed files with 10 additions and 1 deletions
--- a/src/lib/openjp2/t1.c
+++ b/src/lib/openjp2/t1.c
@ -2168,9 +2168,18 @@ OPJ_BOOL opj_t1_encode_cblks(opj_t1_t *t1,
                        t1->data = tiledp;
                        t1->data_stride = tile_w;
                        if (tccp->qmfbid == 1) {
+                            /* Do multiplication on unsigned type, even if the
+                             * underlying type is signed, to avoid potential
+                             * int overflow on large value (the output will be
+                             * incorrect in such situation, but whatever...)
+                             * This assumes complement-to-2 signed integer
+                             * representation
+                             * Fixes https://github.com/uclouvain/openjpeg/issues/1053
+                             */
+                            OPJ_UINT32* OPJ_RESTRICT tiledp_u = (OPJ_UINT32*) tiledp;
                            for (j = 0; j < cblk_h; ++j) {
                                for (i = 0; i < cblk_w; ++i) {
-                                    tiledp[tileIndex] *= (1 << T1_NMSEDEC_FRACBITS);
+                                    tiledp_u[tileIndex] <<= T1_NMSEDEC_FRACBITS;
                                    tileIndex++;
                                }
                                tileIndex += tileLineAdvance;