[trunk] Fix overflow in opj_image_comp_header_update (fixes issue 495)

2 files changed, 25 insertions, 14 deletions

diff --git a/src/lib/openjp2/image.c b/src/lib/openjp2/image.c
index 8e68668e..3646e998 100644
--- a/src/lib/openjp2/image.c
+++ b/src/lib/openjp2/image.c
@@ -107,27 +107,29 @@ void OPJ_CALLCONV opj_image_destroy(opj_image_t *image) {
 void opj_image_comp_header_update(opj_image_t * p_image_header, const struct opj_cp * p_cp)
 {
 	OPJ_UINT32 i, l_width, l_height;
-	OPJ_INT32 l_x0, l_y0, l_x1, l_y1;
-	OPJ_INT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1;
+	OPJ_UINT32 l_x0, l_y0, l_x1, l_y1;
+	OPJ_UINT32 l_comp_x0, l_comp_y0, l_comp_x1, l_comp_y1;
 	opj_image_comp_t* l_img_comp = NULL;
 
-	l_x0 = opj_int_max((OPJ_INT32)p_cp->tx0 , (OPJ_INT32)p_image_header->x0);
-	l_y0 = opj_int_max((OPJ_INT32)p_cp->ty0 , (OPJ_INT32)p_image_header->y0);
-	l_x1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + p_cp->tw * p_cp->tdx), (OPJ_INT32)p_image_header->x1);
-	l_y1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + p_cp->th * p_cp->tdy), (OPJ_INT32)p_image_header->y1);
+	l_x0 = opj_uint_max(p_cp->tx0 , p_image_header->x0);
+	l_y0 = opj_uint_max(p_cp->ty0 , p_image_header->y0);
+	l_x1 = p_cp->tx0 + (p_cp->tw - 1U) * p_cp->tdx; /* validity of p_cp members used here checked in opj_j2k_read_siz. Can't overflow. */
+	l_y1 = p_cp->ty0 + (p_cp->th - 1U) * p_cp->tdy; /* can't overflow */
+	l_x1 = opj_uint_min(opj_uint_adds(l_x1, p_cp->tdx), p_image_header->x1); /* use add saturated to prevent overflow */
+	l_y1 = opj_uint_min(opj_uint_adds(l_y1, p_cp->tdy), p_image_header->y1); /* use add saturated to prevent overflow */
 
 	l_img_comp = p_image_header->comps;
 	for	(i = 0; i < p_image_header->numcomps; ++i) {
-		l_comp_x0 = opj_int_ceildiv(l_x0, (OPJ_INT32)l_img_comp->dx);
-		l_comp_y0 = opj_int_ceildiv(l_y0, (OPJ_INT32)l_img_comp->dy);
-		l_comp_x1 = opj_int_ceildiv(l_x1, (OPJ_INT32)l_img_comp->dx);
-		l_comp_y1 = opj_int_ceildiv(l_y1, (OPJ_INT32)l_img_comp->dy);
-		l_width = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_x1 - l_comp_x0, (OPJ_INT32)l_img_comp->factor);
-		l_height = (OPJ_UINT32)opj_int_ceildivpow2(l_comp_y1 - l_comp_y0, (OPJ_INT32)l_img_comp->factor);
+		l_comp_x0 = opj_uint_ceildiv(l_x0, l_img_comp->dx);
+		l_comp_y0 = opj_uint_ceildiv(l_y0, l_img_comp->dy);
+		l_comp_x1 = opj_uint_ceildiv(l_x1, l_img_comp->dx);
+		l_comp_y1 = opj_uint_ceildiv(l_y1, l_img_comp->dy);
+		l_width   = opj_uint_ceildivpow2(l_comp_x1 - l_comp_x0, l_img_comp->factor);
+		l_height  = opj_uint_ceildivpow2(l_comp_y1 - l_comp_y0, l_img_comp->factor);
 		l_img_comp->w = l_width;
 		l_img_comp->h = l_height;
-		l_img_comp->x0 = (OPJ_UINT32)l_comp_x0/*l_x0*/;
-		l_img_comp->y0 = (OPJ_UINT32)l_comp_y0/*l_y0*/;
+		l_img_comp->x0 = l_comp_x0;
+		l_img_comp->y0 = l_comp_y0;
 		++l_img_comp;
 	}
 }
diff --git a/src/lib/openjp2/opj_intmath.h b/src/lib/openjp2/opj_intmath.h
index 4e299469..8fa89c03 100644
--- a/src/lib/openjp2/opj_intmath.h
+++ b/src/lib/openjp2/opj_intmath.h
@@ -137,6 +137,15 @@ Divide an integer by a power of 2 and round upwards
 static INLINE OPJ_INT32 opj_int_ceildivpow2(OPJ_INT32 a, OPJ_INT32 b) {
 	return (OPJ_INT32)((a + (OPJ_INT64)(1 << b) - 1) >> b);
 }
+
+/**
+ Divide an integer by a power of 2 and round upwards
+ @return Returns a divided by 2^b
+ */
+static INLINE OPJ_UINT32 opj_uint_ceildivpow2(OPJ_UINT32 a, OPJ_UINT32 b) {
+	return (OPJ_UINT32)((a + (OPJ_UINT64)(1U << b) - 1U) >> b);
+}
+
 /**
 Divide an integer by a power of 2 and round downwards
 @return Returns a divided by 2^b