diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2019-03-29 11:17:39 +0100 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2019-03-29 11:17:39 +0100 |
| commit | a1d32a596a94280178c44a55d7e7f1acd992ed5d (patch) | |
| tree | 7f38fca07f99aa2261fb97d1e0ff1c0b3b5cf06e /src | |
| parent | 25b815dc460dbf9def7e6b822c8998727094f85a (diff) | |
opj_t1_encode_cblks: fix UBSAN signed integer overflow
Fixes #1053 / CVE-2018-5727
Note: I don't consider this issue to be a security vulnerability, in
practice.
At least with gcc or clang compilers on x86_64 which generate the same
assembly code with or without that fix.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/openjp2/t1.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/lib/openjp2/t1.c b/src/lib/openjp2/t1.c index ec04c682..f6f76711 100644 --- a/src/lib/openjp2/t1.c +++ b/src/lib/openjp2/t1.c @@ -2168,9 +2168,18 @@ OPJ_BOOL opj_t1_encode_cblks(opj_t1_t *t1, t1->data = tiledp; t1->data_stride = tile_w; if (tccp->qmfbid == 1) { + /* Do multiplication on unsigned type, even if the + * underlying type is signed, to avoid potential + * int overflow on large value (the output will be + * incorrect in such situation, but whatever...) + * This assumes complement-to-2 signed integer + * representation + * Fixes https://github.com/uclouvain/openjpeg/issues/1053 + */ + OPJ_UINT32* OPJ_RESTRICT tiledp_u = (OPJ_UINT32*) tiledp; for (j = 0; j < cblk_h; ++j) { for (i = 0; i < cblk_w; ++i) { - tiledp[tileIndex] *= (1 << T1_NMSEDEC_FRACBITS); + tiledp_u[tileIndex] <<= T1_NMSEDEC_FRACBITS; tileIndex++; } tileIndex += tileLineAdvance; |