walkero
/
openjpeg
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

opj_t1_encode_cblks: fix UBSAN signed integer overflow 

Fixes #1053 / CVE-2018-5727

Note: I don't consider this issue to be a security vulnerability, in
practice.
At least with gcc or clang compilers on x86_64 which generate the same
assembly code with or without that fix.
This commit is contained in:
Even Rouault 2019-03-29 11:17:39 +01:00
parent 25b815dc46
commit a1d32a596a
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/lib/openjp2/t1.c
View File

@ -2168,9 +2168,18 @@ OPJ_BOOL opj_t1_encode_cblks(opj_t1_t *t1,
t1->data = tiledp; t1->data = tiledp;
t1->data_stride = tile_w; t1->data_stride = tile_w;
if (tccp->qmfbid == 1) { if (tccp->qmfbid == 1) {
/* Do multiplication on unsigned type, even if the
* underlying type is signed, to avoid potential
* int overflow on large value (the output will be
* incorrect in such situation, but whatever...)
* This assumes complement-to-2 signed integer
* representation
* Fixes https://github.com/uclouvain/openjpeg/issues/1053
*/
OPJ_UINT32* OPJ_RESTRICT tiledp_u = (OPJ_UINT32*) tiledp;
for (j = 0; j < cblk_h; ++j) { for (j = 0; j < cblk_h; ++j) {
for (i = 0; i < cblk_w; ++i) { for (i = 0; i < cblk_w; ++i) {
tiledp[tileIndex] *= (1 << T1_NMSEDEC_FRACBITS); tiledp_u[tileIndex] <<= T1_NMSEDEC_FRACBITS;
tileIndex++; tileIndex++;
} }
tileIndex += tileLineAdvance; tileIndex += tileLineAdvance;