diff options
author | JUN FANG <jun_fang@foxitsoftware.com> | 2015-05-21 09:56:11 -0700 |
---|---|---|
committer | JUN FANG <jun_fang@foxitsoftware.com> | 2015-05-21 09:56:11 -0700 |
commit | bc4b82ea7a9c6603c6a1c89e00f4e6381c1b6804 (patch) | |
tree | 1151fbe2fef562cd7589949b67c83cbe08d504e3 | |
parent | 79569e74ddddb12b3a76d211d826be2a3d87d0d0 (diff) | |
download | pdfium-bc4b82ea7a9c6603c6a1c89e00f4e6381c1b6804.tar.xz |
Fix an endless loop in CJBig2_HuffmanTable::parseFromCodedBuffer
This issue is trigged by the conversion from unsigned int to signed int.
A large unsigned int is converted to int. It's represented as a negative
int which is used in the condition of while later.
BUG=482639
R=brucedawson@chromium.org
Review URL: https://codereview.chromium.org/1146913003
-rw-r--r-- | core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp index 0a5bc8e645..0616123c1e 100644 --- a/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -103,10 +103,10 @@ int CJBig2_HuffmanTable::parseFromStandardTable(const JBig2TableLine *pTable, in int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream) { unsigned char HTPS, HTRS; - int HTLOW, HTHIGH; - int CURRANGELOW; - int nSize = 16; - int CURLEN, LENMAX, CURCODE, CURTEMP, i; + FX_DWORD HTLOW, HTHIGH; + FX_DWORD CURRANGELOW; + FX_DWORD nSize = 16; + int CURLEN, LENMAX, CURCODE, CURTEMP; int *LENCOUNT; int *FIRSTCODE; unsigned char cTemp; @@ -116,8 +116,9 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream) HTOOB = cTemp & 0x01; HTPS = ((cTemp >> 1) & 0x07) + 1; HTRS = ((cTemp >> 4) & 0x07) + 1; - if(pStream->readInteger((FX_DWORD*)&HTLOW) == -1 || - pStream->readInteger((FX_DWORD*)&HTHIGH) == -1) { + if(pStream->readInteger(&HTLOW) == -1 || + pStream->readInteger(&HTHIGH) == -1 || + HTLOW > HTHIGH) { goto failed; } PREFLEN = (int*)m_pModule->JBig2_Malloc2(sizeof(int), nSize); @@ -127,8 +128,8 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream) NTEMP = 0; do { HT_CHECK_MEMORY_ADJUST - if((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) - || (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) { + if((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) || + (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) { goto failed; } RANGELOW[NTEMP] = CURRANGELOW; @@ -158,7 +159,7 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream) } CODES = (int*)m_pModule->JBig2_Malloc2(sizeof(int), NTEMP); LENMAX = 0; - for(i = 0; i < NTEMP; i++) { + for(int i = 0; i < NTEMP; i++) { if(PREFLEN[i] > LENMAX) { LENMAX = PREFLEN[i]; } @@ -166,7 +167,7 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream) LENCOUNT = (int*)m_pModule->JBig2_Malloc2(sizeof(int), (LENMAX + 1)); JBIG2_memset(LENCOUNT, 0, sizeof(int) * (LENMAX + 1)); FIRSTCODE = (int*)m_pModule->JBig2_Malloc2(sizeof(int), (LENMAX + 1)); - for(i = 0; i < NTEMP; i++) { + for(int i = 0; i < NTEMP; i++) { LENCOUNT[PREFLEN[i]] ++; } CURLEN = 1; |