File openjpeg2-CVE-2020-8112.patch of Package openjpeg2.26562
Index: openjpeg-2.1.0/src/lib/openjp2/tcd.c
===================================================================
--- openjpeg-2.1.0.orig/src/lib/openjp2/tcd.c
+++ openjpeg-2.1.0/src/lib/openjp2/tcd.c
@@ -783,8 +783,22 @@ OPJ_BOOL FUNCTION ( opj_tcd_t *p_tcd
/* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ \
l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; \
l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; \
- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; \
- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; \
+ { \
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, \
+ (OPJ_INT32)l_pdx)) << l_pdx; \
+ if (tmp > (OPJ_UINT32)INT_MAX) { \
+ return OPJ_FALSE; \
+ } \
+ l_br_prc_x_end = (OPJ_INT32)tmp; \
+ } \
+ { \
+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, \
+ (OPJ_INT32)l_pdy)) << l_pdy; \
+ if (tmp > (OPJ_UINT32)INT_MAX) { \
+ return OPJ_FALSE; \
+ } \
+ l_br_prc_y_end = (OPJ_INT32)tmp; \
+ } \
/*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ \
\
l_res->pw = (l_res->x0 == l_res->x1) ? 0 : (OPJ_UINT32)((l_br_prc_x_end - l_tl_prc_x_start) >> l_pdx); \
