xref: /aosp_15_r20/external/pdfium/third_party/libopenjpeg/0043-mel_init.patch (revision 3ac0a46f773bac49fa9476ec2b1cf3f8da5ec3a4) 
1commit 4da04cd3e88a0280be526e16077c540a45cbbfa8
2Author: Aous Naman <[email protected]>
3Date:   Fri Aug 12 02:29:40 2022 +1000
4
5    Replace the assert in mel_init to an if statement to address an issue with fuzzing. (#1436)
6
7    Modified the mel_init code to replace the assert statement with an if statement, returning false when an incorrect sequence of bytes are encountered in the MEL segment.  Similar code should be added to the main MEL decoding subrountine, but the change is more involved; in any case, an incorrect sequence produces incorrect results, but should not be harmful or cause a crash.
8
9diff --git a/src/lib/openjp2/ht_dec.c b/src/lib/openjp2/ht_dec.c
10index a803d1bb..62a6c9e1 100644
11--- a/src/lib/openjp2/ht_dec.c
12+++ b/src/lib/openjp2/ht_dec.c
13@@ -294,7 +294,7 @@ void mel_decode(dec_mel_t *melp)
14   *  @param [in]  scup is the length of MEL+VLC segments
15   */
16 static INLINE
17-void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
18+OPJ_BOOL mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
19 {
20     int num;
21     int i;
22@@ -316,7 +316,9 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
23         OPJ_UINT64 d;
24         int d_bits;
25
26-        assert(melp->unstuff == OPJ_FALSE || melp->data[0] <= 0x8F);
27+        if (melp->unstuff == OPJ_TRUE && melp->data[0] > 0x8F) {
28+            return OPJ_FALSE;
29+        }
30         d = (melp->size > 0) ? *melp->data : 0xFF; // if buffer is consumed
31         // set data to 0xFF
32         if (melp->size == 1) {
33@@ -332,6 +334,7 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
34     }
35     melp->tmp <<= (64 - melp->bits); //push all the way up so the first bit
36     // is the MSB
37+    return OPJ_TRUE;
38 }
39
40 //************************************************************************/
41@@ -1374,7 +1377,17 @@ OPJ_BOOL opj_t1_ht_decode_cblk(opj_t1_t *t1,
42     }
43
44     // init structures
45-    mel_init(&mel, coded_data, lcup, scup);
46+    if (mel_init(&mel, coded_data, lcup, scup) == OPJ_FALSE) {
47+        if (p_manager_mutex) {
48+            opj_mutex_lock(p_manager_mutex);
49+        }
50+        opj_event_msg(p_manager, EVT_ERROR, "Malformed HT codeblock. "
51+                      "Incorrect MEL segment sequence.\n");
52+        if (p_manager_mutex) {
53+            opj_mutex_unlock(p_manager_mutex);
54+        }
55+        return OPJ_FALSE;
56+    }
57     rev_init(&vlc, coded_data, lcup, scup);
58     frwd_init(&magsgn, coded_data, lcup - scup, 0xFF);
59     if (num_passes > 1) { // needs to be tested
60