What steps will reproduce the problem?
This original issue was raised in chrome https://code.google.com/p/chromium.
The original bug number is 453553.
What is the expected output? What do you see instead?
No crashes. ASAN reports SEGV on unknown address.
What version of the product are you using? On what operating system?
Reproduced on ubuntu Linux not on Windows.
Please provide any additional information below.
In the function of opj_j2k_update_image_data, the following code doesn't check
whether the result of l_img_comp_dest->w * l_img_comp_dest->h causes overflow.
l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_img_comp_dest->w *
l_img_comp_dest->h, sizeof(OPJ_INT32));
There is no problem in Windows because opj_malloc has different definitions
shown as below. The overflow is checked in _MSC_VER.
#ifdef _MSC_VER
#define opj_malloc(size) ((size_t)(size) >= (size_t)-0x100 ? NULL :
malloc(size))
#else
#define opj_malloc(size) malloc(size)
#endif
Original issue reported on code.google.com by jun_f...@foxitsoftware.com on 15 Mar 2015 at 6:02
Original issue reported on code.google.com by
jun_f...@foxitsoftware.comon 15 Mar 2015 at 6:02