summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2018-02-12 22:48:25 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-02-12 22:48:25 +0000
commit0294f3d06517265a3b63ec3238b32f77d92a71bf (patch)
tree370c60894f4aae9079f9edb9b460e2601c2d76e1
parent3e5fac8169987afe652752ca5c7b9350ffabce0d (diff)
downloadpdfium-0294f3d06517265a3b63ec3238b32f77d92a71bf.tar.xz
Fix signedness in CJBig2_HuffmanTable, and add overflow check
Bug: 808902 Change-Id: Iad5ab63eeedc3ea85001337ba73626178c71f8b8 Reviewed-on: https://pdfium-review.googlesource.com/26470 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
-rw-r--r--core/fxcodec/jbig2/JBig2_HuffmanTable.cpp7
1 files changed, 4 insertions, 3 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 1127f52a52..83f9fed010 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -53,9 +53,7 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
uint32_t HTLOW;
uint32_t HTHIGH;
if (pStream->readInteger(&HTLOW) == -1 ||
- pStream->readInteger(&HTHIGH) == -1 ||
- HTLOW > static_cast<uint32_t>(std::numeric_limits<int>::max()) ||
- HTHIGH > static_cast<uint32_t>(std::numeric_limits<int>::max())) {
+ pStream->readInteger(&HTHIGH) == -1) {
return false;
}
@@ -87,6 +85,9 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
return false;
RANGELEN[NTEMP] = 32;
+ if (low == std::numeric_limits<int>::min())
+ return false;
+
RANGELOW[NTEMP] = low - 1;
ExtendBuffers(true);