From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 28 Jul 2017 20:06:26 +0000 (+0200)
Subject: opj_tcd_dc_level_shift_decode(): avoid int overflow. Fixes https://bugs.chromium... 
X-Git-Tag: v2.2.0~42
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=361c4506fdfb9b6f0e41d86d5d0ea1efb5704ecf;p=openjpeg

opj_tcd_dc_level_shift_decode(): avoid int overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2516. Credit to OSS Fuzz
---

diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index a6921464..4d53e8b5 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1890,8 +1890,15 @@ static OPJ_BOOL opj_tcd_dc_level_shift_decode(opj_tcd_t *p_tcd)
             for (j = 0; j < l_height; ++j) {
                 for (i = 0; i < l_width; ++i) {
                     OPJ_FLOAT32 l_value = *((OPJ_FLOAT32 *) l_current_ptr);
-                    *l_current_ptr = opj_int_clamp((OPJ_INT32)opj_lrintf(l_value) +
-                                                   l_tccp->m_dc_level_shift, l_min, l_max); ;
+                    OPJ_INT32 l_value_int = (OPJ_INT32)opj_lrintf(l_value);
+                    if (l_value > INT_MAX ||
+                            (l_value_int > 0 && l_tccp->m_dc_level_shift > 0 &&
+                             l_value_int > INT_MAX - l_tccp->m_dc_level_shift)) {
+                        *l_current_ptr = l_max;
+                    } else {
+                        *l_current_ptr = opj_int_clamp(
+                                             l_value_int + l_tccp->m_dc_level_shift, l_min, l_max);
+                    }
                     ++l_current_ptr;
                 }
                 l_current_ptr += l_stride;