[JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423

Signed-off-by: Young_X <YangX92@hotmail.com>
author: Young_X <YangX92@hotmail.com> 2018-11-23 17:15:05 +0800
committer: Young Xiao <YangX92@hotmail.com> 2018-11-28 14:39:15 +0800
commit: bd88611ed9ad7144ec4f3de54790cd848175891b (patch)
tree: 7f55b0823d2c9699812bdf87dbd99e7be10fb584
parent: ce9583d1d7627e007a34a31ae4e22a00d78bd153 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
index a03be45e..a58ebcc7 100644
--- a/src/lib/openjp3d/pi.c
+++ b/src/lib/openjp3d/pi.c
@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
                         rpx = res->pdx + levelnox;
                         rpy = res->pdy + levelnoy;
                         rpz = res->pdz + levelnoz;
+
+                        /* To avoid divisions by zero / undefined behaviour on shift */
+                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+                            continue;
+                        }
+
                         if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                 (trx0 << levelnox) % (1 << rpx)))) {
                             continue;
@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
                         rpx = res->pdx + levelnox;
                         rpy = res->pdy + levelnoy;
                         rpz = res->pdz + levelnoz;
+
+                        /* To avoid divisions by zero / undefined behaviour on shift */
+                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+                            continue;
+                        }
+
                         if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                 (trx0 << levelnox) % (1 << rpx)))) {
                             continue;
@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
                         rpx = res->pdx + levelnox;
                         rpy = res->pdy + levelnoy;
                         rpz = res->pdz + levelnoz;
+
+                        /* To avoid divisions by zero / undefined behaviour on shift */
+                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+                            continue;
+                        }
+
                         if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                 (trx0 << levelnox) % (1 << rpx)))) {
                             continue;
author	Young_X <YangX92@hotmail.com>	2018-11-23 17:15:05 +0800
committer	Young Xiao <YangX92@hotmail.com>	2018-11-28 14:39:15 +0800
commit	bd88611ed9ad7144ec4f3de54790cd848175891b (patch)
tree	7f55b0823d2c9699812bdf87dbd99e7be10fb584
parent	ce9583d1d7627e007a34a31ae4e22a00d78bd153 (diff)