[JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423

author Young_X <YangX92@hotmail.com>

Fri, 23 Nov 2018 09:15:05 +0000 (17:15 +0800)

committer Young Xiao <YangX92@hotmail.com>

Wed, 28 Nov 2018 06:39:15 +0000 (14:39 +0800)
author Young_X <YangX92@hotmail.com>
Fri, 23 Nov 2018 09:15:05 +0000 (17:15 +0800)
committer Young Xiao <YangX92@hotmail.com>
Wed, 28 Nov 2018 06:39:15 +0000 (14:39 +0800)
diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c

index a03be45e7364bc368b2f1e2fbd645368a8ef4b4d..a58ebcc7ce6464ce7591eaa00bd807dc374c468d 100644 (file)
--- a/src/lib/openjp3d/pi.c
+++ b/src/lib/openjp3d/pi.c
@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
                          rpx = res->pdx + levelnox;
                          rpy = res->pdy + levelnoy;
                          rpz = res->pdz + levelnoz;
+
+                        /* To avoid divisions by zero / undefined behaviour on shift */
+                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+                            continue;
+                        }
+
                          if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                  (trx0 << levelnox) % (1 << rpx)))) {
                              continue;
@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
                          rpx = res->pdx + levelnox;
                          rpy = res->pdy + levelnoy;
                          rpz = res->pdz + levelnoz;
+
+                        /* To avoid divisions by zero / undefined behaviour on shift */
+                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+                            continue;
+                        }
+
                          if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                  (trx0 << levelnox) % (1 << rpx)))) {
                              continue;
@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
                          rpx = res->pdx + levelnox;
                          rpy = res->pdy + levelnoy;
                          rpz = res->pdz + levelnoz;
+
+                        /* To avoid divisions by zero / undefined behaviour on shift */
+                        if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+                                rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
+                                rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
+                            continue;
+                        }
+
                          if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                  (trx0 << levelnox) % (1 << rpx)))) {
                              continue;
author	Young_X <YangX92@hotmail.com>
	Fri, 23 Nov 2018 09:15:05 +0000 (17:15 +0800)
committer	Young Xiao <YangX92@hotmail.com>
	Wed, 28 Nov 2018 06:39:15 +0000 (14:39 +0800)