From 713429b8faa94ddb169b6d8147c421d0bb8756af Mon Sep 17 00:00:00 2001
From: TryLab <494467347@qq.com>
Date: Tue, 16 Aug 2016 17:22:57 +0800
Subject: [PATCH 1/5] Fix an integer overflow issue

Prevent an integer overflow issue in function opj_pi_create_decode of
pi.c.
---
 src/lib/openjp2/pi.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index cffad6684..bf9c2e9c6 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -36,6 +36,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include <limits.h>
 #include "opj_includes.h"
 
 /** @defgroup PI PI - Implementation of a packet iterator */
@@ -1237,7 +1238,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
 	l_current_pi = l_pi;
 
 	/* memory allocation for include */
-	l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+	/* prevent an integer overflow issue */
+	l_current_pi->include = 00;
+	if (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1)
+	{
+		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
+	}
+
 	if
 		(!l_current_pi->include)
 	{

From 7f703c696b2196e1a1777530cd0a5aefe3194e69 Mon Sep 17 00:00:00 2001
From: trylab <trylab@users.noreply.github.com>
Date: Tue, 23 Aug 2016 17:02:21 +0800
Subject: [PATCH 2/5] Fix an integer overflow issue

Making it more secure to call opj_calloc.
---
 src/lib/openjp2/pi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index bf9c2e9c6..affd5d0fd 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1240,7 +1240,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
 	/* memory allocation for include */
 	/* prevent an integer overflow issue */
 	l_current_pi->include = 00;
-	if (l_step_l && l_tcp->numlayers < UINT_MAX / l_step_l - 1)
+	if (l_step_l && l_tcp->numlayers < UINT_MAX / sizeof(OPJ_INT16) / l_step_l - 1)
 	{
 		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
 	}

From a65c9452da0794d2b11e391e44001fbf68247f58 Mon Sep 17 00:00:00 2001
From: trylab <trylab@users.noreply.github.com>
Date: Thu, 25 Aug 2016 12:01:44 +0800
Subject: [PATCH 3/5] Fix an integer overflow issue

Remove header file limits.h
---
 src/lib/openjp2/pi.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index affd5d0fd..1b624651f 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -36,7 +36,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include <limits.h>
 #include "opj_includes.h"
 
 /** @defgroup PI PI - Implementation of a packet iterator */
@@ -1240,7 +1239,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
 	/* memory allocation for include */
 	/* prevent an integer overflow issue */
 	l_current_pi->include = 00;
-	if (l_step_l && l_tcp->numlayers < UINT_MAX / sizeof(OPJ_INT16) / l_step_l - 1)
+	if (l_step_l && l_tcp->numlayers < ((OPJ_UINT32)-1) / sizeof(OPJ_INT16) / l_step_l - 1)
 	{
 		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
 	}

From 79a397df02788e8a0c4a0441befb6ba4a294910e Mon Sep 17 00:00:00 2001
From: trylab <trylab@users.noreply.github.com>
Date: Thu, 25 Aug 2016 12:54:31 +0800
Subject: [PATCH 4/5] Fix an integer overflow issue

Replace OPJ_UINT32 with SIZE_MAX
---
 src/lib/openjp2/pi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 1b624651f..6e3b8d95d 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1239,7 +1239,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
 	/* memory allocation for include */
 	/* prevent an integer overflow issue */
 	l_current_pi->include = 00;
-	if (l_step_l && l_tcp->numlayers < ((OPJ_UINT32)-1) / sizeof(OPJ_INT16) / l_step_l - 1)
+	if (l_step_l && l_tcp->numlayers < ((SIZE_MAX)-1) / sizeof(OPJ_INT16) / l_step_l - 1)
 	{
 		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
 	}

From 7816ec3a11066642ff2d8d2286680ca91273e40e Mon Sep 17 00:00:00 2001
From: trylab <trylab@users.noreply.github.com>
Date: Tue, 6 Sep 2016 09:16:54 +0800
Subject: [PATCH 5/5] Fix integer overflow in opj_pi_create_decode

Simplify code
---
 src/lib/openjp2/pi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 6e3b8d95d..36e2ff0cf 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1239,7 +1239,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image,
 	/* memory allocation for include */
 	/* prevent an integer overflow issue */
 	l_current_pi->include = 00;
-	if (l_step_l && l_tcp->numlayers < ((SIZE_MAX)-1) / sizeof(OPJ_INT16) / l_step_l - 1)
+	if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U)))
 	{
 		l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
 	}