1 diff --git a/third_party/libopenjpeg20/tcd.c b/third_party/libopenjpeg20/tcd.c 2 index f0710cd14..35d15e3d1 100644 3 --- a/third_party/libopenjpeg20/tcd.c 4 +++ b/third_party/libopenjpeg20/tcd.c 5 @@ -1040,9 +1040,15 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, 6 cblkwidthexpn); 7 l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> 8 cblkheightexpn); 9 - 10 + if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) { 11 + return OPJ_FALSE; 12 + } 13 l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch; 14 /*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch); */ 15 + 16 + if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) { 17 + return OPJ_FALSE; 18 + } 19 l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block; 20 21 if (!l_current_precinct->cblks.blocks && (l_nb_code_blocks > 0U)) { 22
