Integrate integer overflow fixes from security branchandroid-cts_7.1_r1 android-cts-7.1_r9 android-cts-7.1_r8 android-cts-7.1_r7 android-cts-7.1_r6 android-cts-7.1_r5 android-cts-7.1_r4 android-cts-7.1_r3 android-cts-7.1_r29 android-cts-7.1_r28 android-cts-7.1_r27 android-cts-7.1_r26 android-cts-7.1_r25 android-cts-7.1_r24 android-cts-7.1_r23 android-cts-7.1_r22 android-cts-7.1_r21 android-cts-7.1_r20 android-cts-7.1_r2 android-cts-7.1_r19 android-cts-7.1_r18 android-cts-7.1_r17 android-cts-7.1_r16 android-cts-7.1_r15 android-cts-7.1_r14 android-cts-7.1_r13 android-cts-7.1_r12 android-cts-7.1_r11 android-cts-7.1_r10 android-cts-7.1_r1 android-7.1.2_r9 android-7.1.2_r8 android-7.1.2_r6 android-7.1.2_r5 android-7.1.2_r4 android-7.1.2_r3 android-7.1.2_r2 android-7.1.2_r17 android-7.1.2_r16 android-7.1.2_r15 android-7.1.2_r14 android-7.1.2_r13 android-7.1.2_r12 android-7.1.2_r11 android-7.1.2_r10 android-7.1.2_r1 android-7.1.1_r9 android-7.1.1_r8 android-7.1.1_r7 android-7.1.1_r6 android-7.1.1_r43 android-7.1.1_r42 android-7.1.1_r41 android-7.1.1_r40 android-7.1.1_r4 android-7.1.1_r39 android-7.1.1_r38 android-7.1.1_r35 android-7.1.1_r33 android-7.1.1_r32 android-7.1.1_r31 android-7.1.1_r3 android-7.1.1_r28 android-7.1.1_r27 android-7.1.1_r26 android-7.1.1_r25 android-7.1.1_r24 android-7.1.1_r23 android-7.1.1_r22 android-7.1.1_r21 android-7.1.1_r20 android-7.1.1_r2 android-7.1.1_r17 android-7.1.1_r16 android-7.1.1_r15 android-7.1.1_r14 android-7.1.1_r13 android-7.1.1_r12 android-7.1.1_r11 android-7.1.1_r10 android-7.1.1_r1 android-7.1.0_r7 android-7.1.0_r6 android-7.1.0_r5 android-7.1.0_r4 android-7.1.0_r3 android-7.1.0_r2 android-7.1.0_r1 nougat-mr2-dev nougat-mr1.4-release nougat-mr1.3-release nougat-mr1.2-release nougat-mr1-release nougat-mr1-dev nougat-mr1-cts-release nougat-dr1-release nougat-dev

cherry-pick of 1754202ed3e25b98179a4f377f0bdd605d9a157a for nyc-dev. Bug: 26535130 Change-Id: I9a97903cb9f79131b426736351f0d0a0060294e5
author: Florian Kriener <floriank@google.com> 2016-03-08 13:13:07 +0100
committer: Yujie Qin <yujieqin@google.com> 2016-03-17 14:41:05 +0100
commit: 0420a20d94d620f471e47cf3f8c40facca5de58e (patch)
tree: 51301805e65b2557b6d6e69a63438ae475d225b7
parent: 0d8a86b53b40b3e8e3b7392e7bf5c51dbd327101 (diff)
download: dng_sdk-0420a20d94d620f471e47cf3f8c40facca5de58e.tar.gz
8 files changed, 41 insertions, 41 deletions
diff --git a/source/dng_info.cpp b/source/dng_info.cpp
index ed87692..5b742aa 100644
--- a/source/dng_info.cpp
+++ b/source/dng_info.cpp
@@ -1501,10 +1501,11 @@ void dng_info::ParseDNGPrivateData (dng_host &host,
 	
 	uint32 section_offset = 6;
 	
-	while (section_offset + 8 < fShared->fDNGPrivateDataCount)
+	while (SafeUint32Add(section_offset, 8) < fShared->fDNGPrivateDataCount)
 		{
 		
-		stream.SetReadPosition (fShared->fDNGPrivateDataOffset + section_offset);
+		stream.SetReadPosition (SafeUint64Add(fShared->fDNGPrivateDataOffset,
+												section_offset));
 		
 		uint32 section_key   = stream.Get_uint32 ();
 		uint32 section_count = stream.Get_uint32 ();
@@ -1867,11 +1868,12 @@ void dng_info::ParseDNGPrivateData (dng_host &host,
 			
 			}
 		
-		section_offset += 8 + section_count;
+		section_offset = SafeUint32Add(section_offset, 8);
+		section_offset = SafeUint32Add(section_offset, section_count);
 		
 		if (section_offset & 1)
 			{
-			section_offset++;
+			section_offset = SafeUint32Add(section_offset, 1);
 			}
 		
 		}
diff --git a/source/dng_memory.h b/source/dng_memory.h
index 3966106..05e6f2b 100644
--- a/source/dng_memory.h
+++ b/source/dng_memory.h
@@ -552,6 +552,7 @@ class dng_std_allocator
 		// Default implementations of default constructor and copy constructor.
 		dng_std_allocator () = default;
 		dng_std_allocator (const dng_std_allocator&) = default;
+		template<typename U> dng_std_allocator (const dng_std_allocator<U>&) {}
 		
 		T* allocate (size_t n)
 			{
diff --git a/source/dng_misc_opcodes.cpp b/source/dng_misc_opcodes.cpp
index 5a6fa82..38297a0 100644
--- a/source/dng_misc_opcodes.cpp
+++ b/source/dng_misc_opcodes.cpp
@@ -293,7 +293,10 @@ dng_opcode_MapTable::dng_opcode_MapTable (dng_host &host,
 	
 	fCount = stream.Get_uint32 ();
 	
-	if (dataSize != dng_area_spec::kDataSize + 4 + fCount * 2)
+	uint32 requiredSize = SafeUint32Mult(fCount, 2);
+	requiredSize = SafeUint32Add(requiredSize, dng_area_spec::kDataSize);
+	requiredSize = SafeUint32Add(requiredSize, 4);
+	if (dataSize != requiredSize)
 		{
 		ThrowBadFormat ();
 		}
@@ -591,7 +594,7 @@ uint32 dng_opcode_MapPolynomial::BufferPixelType (uint32 imagePixelType)
 	for (uint32 j = 0; j <= kMaxDegree; j++)
 		{
 		
-		fCoefficient32 [j] = (real32) (fCoefficient [j] * factor32);
+		fCoefficient32 [j] = ConvertDoubleToFloat(fCoefficient [j] * factor32);
 		
 		factor32 *= scale32;
 		
diff --git a/source/dng_safe_arithmetic.cpp b/source/dng_safe_arithmetic.cpp
index 96eaec8..5771861 100644
--- a/source/dng_safe_arithmetic.cpp
+++ b/source/dng_safe_arithmetic.cpp
@@ -1,5 +1,6 @@
 #include "dng_safe_arithmetic.h"
 
+#include <cmath>
 #include <limits>
 
 #include "dng_exceptions.h"
@@ -295,3 +296,17 @@ std::uint32_t ConvertDoubleToUint32(double val) {
     abort();  // Never reached.
   }
 }
+
+float ConvertDoubleToFloat(double val) {
+  const double kMax = std::numeric_limits<float>::max();
+  if (val > kMax) {
+    return std::numeric_limits<float>::infinity();
+  } else if (val < -kMax) {
+    return -std::numeric_limits<float>::infinity();
+  } else {
+    // The cases that end up here are:
+    // - values in [-kMax, kMax]
+    // - NaN (because it always compares false)
+    return static_cast<float>(val);
+  }
+}
diff --git a/source/dng_safe_arithmetic.h b/source/dng_safe_arithmetic.h
index 2535276..b229dc4 100644
--- a/source/dng_safe_arithmetic.h
+++ b/source/dng_safe_arithmetic.h
@@ -222,4 +222,9 @@ static void ConvertUnsigned(TSrc src, TDest *dest) {
 std::int32_t ConvertDoubleToInt32(double val);
 std::uint32_t ConvertDoubleToUint32(double val);
 
+// Returns the result of converting val to float. If val is outside of
+// [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is
+// returned as NaN.
+float ConvertDoubleToFloat(double val);
+
 #endif  // __dng_safe_arithmetic__
diff --git a/source/dng_shared.cpp b/source/dng_shared.cpp
index 3ff40a4..4b00d24 100644
--- a/source/dng_shared.cpp
+++ b/source/dng_shared.cpp
@@ -640,9 +640,8 @@ bool dng_camera_profile_info::ParseTag (dng_stream &stream,
 			if (!skipSat0)
 				{
 			
-				if (!CheckTagCount (parentCode, tagCode, tagCount, fProfileHues *
-																   fProfileSats * 
-																   fProfileVals * 3))
+				if (!CheckTagCount (parentCode, tagCode, tagCount,
+									SafeUint32Mult(fProfileHues, fProfileSats, fProfileVals, 3)))
 					return false;
 					
 				}
@@ -763,9 +762,10 @@ bool dng_camera_profile_info::ParseTag (dng_stream &stream,
 			if (!skipSat0)
 				{
 			
-				if (!CheckTagCount (parentCode, tagCode, tagCount, fLookTableHues *
-																   fLookTableSats * 
-																   fLookTableVals * 3))
+				if (!CheckTagCount (parentCode, tagCode, tagCount,
+									SafeUint32Mult(fLookTableHues,
+													fLookTableSats,
+													fLookTableVals, 3)))
 					return false;
 					
 				}
diff --git a/source/dng_stream.cpp b/source/dng_stream.cpp
index d94a5c7..8b8fa5a 100644
--- a/source/dng_stream.cpp
+++ b/source/dng_stream.cpp
@@ -850,7 +850,7 @@ int32 dng_stream::TagValue_int32 (uint32 tagType)
 		if (x < -2147483648.0)
 			x = -2147483648.0;
 			
-		return (int32) (x - 0.5);
+		return ConvertDoubleToInt32(x - 0.5);
 		
 		}
 		
@@ -860,7 +860,7 @@ int32 dng_stream::TagValue_int32 (uint32 tagType)
 		if (x > 2147483647.0)
 			x = 2147483647.0;
 		
-		return (int32) (x + 0.5);
+		return ConvertDoubleToInt32(x + 0.5);
 		
 		}
 		
diff --git a/source/dng_string.cpp b/source/dng_string.cpp
index 60e7d74..13fc438 100644
--- a/source/dng_string.cpp
+++ b/source/dng_string.cpp
@@ -923,7 +923,7 @@ uint32 dng_string::DecodeUTF8 (const char *&s,
 		0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
 		0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
 		2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
-		3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,4,4,4,4,4,4,4,4,5,5,5,5,6,6,0,0
+		3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,4,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0
 		};
 		
 	if (isValid)
@@ -1023,32 +1023,6 @@ uint32 dng_string::DecodeUTF8 (const char *&s,
 			break;
 			
 			}
-							   
-		case 5:
-			{
-			
-			aChar = ((((((((aChar << 6) + nBuf [1])
-								  << 6) + nBuf [2])
-								  << 6) + nBuf [3])
-								  << 6) + nBuf [4]) - (uint32) 0xFA082080UL;
-								  
-			break;
-			
-			}
-								 
-		case 6:
-			{
-			
-			aChar = ((((((((((aChar << 6) + nBuf [1])
-								    << 6) + nBuf [2])
-								    << 6) + nBuf [3])
-								    << 6) + nBuf [4])
-								    << 6) + nBuf [5]) - (uint32) 0x82082080UL;
-									
-			break;
-			
-			}
-								   
 		}
 		
 	if (aChar < 0x7F || aChar > 0x0010FFFF)
author	Florian Kriener <floriank@google.com>	2016-03-08 13:13:07 +0100
committer	Yujie Qin <yujieqin@google.com>	2016-03-17 14:41:05 +0100
commit	0420a20d94d620f471e47cf3f8c40facca5de58e (patch)
tree	51301805e65b2557b6d6e69a63438ae475d225b7
parent	0d8a86b53b40b3e8e3b7392e7bf5c51dbd327101 (diff)
download	dng_sdk-0420a20d94d620f471e47cf3f8c40facca5de58e.tar.gz