From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 26 Jul 2017 16:05:56 +0000 (+0200)
Subject: Avoid division by zero in opj_pi_next_rpcl, opj_pi_next_pcrl, opj_pi_next_cprl (... 
X-Git-Tag: v2.2.0~58
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5c5319984b81e2aa32d1d83abdef0cdb8dbe7b18;p=openjpeg

Avoid division by zero in opj_pi_next_rpcl, opj_pi_next_pcrl, opj_pi_next_cprl (#938)

Fixes crash on id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17
---

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 1aae9d03..84c905fa 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -383,6 +383,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi)
                     }
                     res = &comp->resolutions[pi->resno];
                     levelno = comp->numresolutions - 1 - pi->resno;
+                    /* Avoids division by zero */
+                    /* Relates to id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 */
+                    /* of  https://github.com/uclouvain/openjpeg/issues/938 */
+                    if (((comp->dx << levelno) >> levelno) != comp->dx ||
+                            ((comp->dy << levelno) >> levelno) != comp->dy) {
+                        continue;
+                    }
                     trx0 = opj_int_ceildiv(pi->tx0, (OPJ_INT32)(comp->dx << levelno));
                     try0 = opj_int_ceildiv(pi->ty0, (OPJ_INT32)(comp->dy << levelno));
                     trx1 = opj_int_ceildiv(pi->tx1, (OPJ_INT32)(comp->dx << levelno));
@@ -493,6 +500,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi)
                     OPJ_INT32 prci, prcj;
                     res = &comp->resolutions[pi->resno];
                     levelno = comp->numresolutions - 1 - pi->resno;
+                    /* Avoids division by zero */
+                    /* Relates to id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 */
+                    /* of  https://github.com/uclouvain/openjpeg/issues/938 */
+                    if (((comp->dx << levelno) >> levelno) != comp->dx ||
+                            ((comp->dy << levelno) >> levelno) != comp->dy) {
+                        continue;
+                    }
                     trx0 = opj_int_ceildiv(pi->tx0, (OPJ_INT32)(comp->dx << levelno));
                     try0 = opj_int_ceildiv(pi->ty0, (OPJ_INT32)(comp->dy << levelno));
                     trx1 = opj_int_ceildiv(pi->tx1, (OPJ_INT32)(comp->dx << levelno));
@@ -601,6 +615,12 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi)
                     OPJ_INT32 prci, prcj;
                     res = &comp->resolutions[pi->resno];
                     levelno = comp->numresolutions - 1 - pi->resno;
+                    /* Avoids division by zero on id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 */
+                    /* of  https://github.com/uclouvain/openjpeg/issues/938 */
+                    if (((comp->dx << levelno) >> levelno) != comp->dx ||
+                            ((comp->dy << levelno) >> levelno) != comp->dy) {
+                        continue;
+                    }
                     trx0 = opj_int_ceildiv(pi->tx0, (OPJ_INT32)(comp->dx << levelno));
                     try0 = opj_int_ceildiv(pi->ty0, (OPJ_INT32)(comp->dy << levelno));
                     trx1 = opj_int_ceildiv(pi->tx1, (OPJ_INT32)(comp->dx << levelno));