From 340bbcf10b50734dee585b0dae5cf295b835c5c9 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 29 Aug 2022 23:17:14 +0000
Subject: [PATCH] Fix a malloc size error in OpenJPEG.

Cherrypick the fix [1] from upstream OpenJPEG.

[1] https://github.com/uclouvain/openjpeg/pull/1426

Bug: chromium:1357303
Change-Id: I0b18a896c061485e41eb2890d21d0f6d842bab18
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/97012
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 .../0044-opj_t1_allocate_buffers.patch        | 28 +++++++++++++++++++
 third_party/libopenjpeg/README.pdfium         |  1 +
 third_party/libopenjpeg/ht_dec.c              |  4 +--
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 third_party/libopenjpeg/0044-opj_t1_allocate_buffers.patch

diff --git a/third_party/libopenjpeg/0044-opj_t1_allocate_buffers.patch b/third_party/libopenjpeg/0044-opj_t1_allocate_buffers.patch
new file mode 100644
index 0000000000..3d77b74af6
--- /dev/null
+++ b/third_party/libopenjpeg/0044-opj_t1_allocate_buffers.patch
@@ -0,0 +1,28 @@
+commit 0535bfc3b7d5cd6fc73a7d4a6749a338fc5d7703
+Author: Yuan <zodf0055980@gmail.com>
+Date:   Tue May 31 17:55:12 2022 +0800
+
+    HT_DEC: Fix opj_t1_allocate_buffers malloc size error (#1426) (fixes #1413)
+
+diff --git a/src/lib/openjp2/ht_dec.c b/src/lib/openjp2/ht_dec.c
+index e2f3afd6..a803d1bb 100644
+--- a/src/lib/openjp2/ht_dec.c
++++ b/src/lib/openjp2/ht_dec.c
+@@ -1063,7 +1063,7 @@ static OPJ_BOOL opj_t1_allocate_buffers(
+         if (flagssize > t1->flagssize) {
+ 
+             opj_aligned_free(t1->flags);
+-            t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize);
++            t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
+             if (!t1->flags) {
+                 /* FIXME event manager error callback */
+                 return OPJ_FALSE;
+@@ -1071,7 +1071,7 @@ static OPJ_BOOL opj_t1_allocate_buffers(
+         }
+         t1->flagssize = flagssize;
+ 
+-        memset(t1->flags, 0, flagssize);
++        memset(t1->flags, 0, flagssize * sizeof(opj_flag_t));
+     }
+ 
+     t1->w = w;
diff --git a/third_party/libopenjpeg/README.pdfium b/third_party/libopenjpeg/README.pdfium
index 5b029abbc5..49b39be83c 100644
--- a/third_party/libopenjpeg/README.pdfium
+++ b/third_party/libopenjpeg/README.pdfium
@@ -31,3 +31,4 @@ Local Modifications:
 0041-remove_opj_clock.patch: Remove unused opj_clock.h include.
 0042-popcnt-windows-arm64.patch: Backport to fix Windows arm64 build.
 0043-mel_init.patch: Backport fix for assertion failure in mel_init().
+0044-opj_t1_allocate_buffers.patch: Backport fix for malloc size error in opj_t1_allocate_buffers().
diff --git a/third_party/libopenjpeg/ht_dec.c b/third_party/libopenjpeg/ht_dec.c
index 1a38172db7..62a6c9e1de 100644
--- a/third_party/libopenjpeg/ht_dec.c
+++ b/third_party/libopenjpeg/ht_dec.c
@@ -1066,7 +1066,7 @@ static OPJ_BOOL opj_t1_allocate_buffers(
         if (flagssize > t1->flagssize) {
 
             opj_aligned_free(t1->flags);
-            t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize);
+            t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
             if (!t1->flags) {
                 /* FIXME event manager error callback */
                 return OPJ_FALSE;
@@ -1074,7 +1074,7 @@ static OPJ_BOOL opj_t1_allocate_buffers(
         }
         t1->flagssize = flagssize;
 
-        memset(t1->flags, 0, flagssize);
+        memset(t1->flags, 0, flagssize * sizeof(opj_flag_t));
     }
 
     t1->w = w;