diff options
| author | Dan Sinclair <dsinclair@chromium.org> | 2017-04-10 13:14:39 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-04-10 18:56:49 +0000 |
| commit | 76c9a1b146145fc3605f91a807b0bc99d2607a0f (patch) | |
| tree | 25dca4829862b71905f20d101d883979c473ff31 | |
| parent | ecc3c836cf6965fbb7ad06b61da87332e59ea5d8 (diff) | |
| download | pdfium-76c9a1b146145fc3605f91a807b0bc99d2607a0f.tar.xz | |
Guard against negative shift in jbig2 huffman initialization
Depending on the code table, it's possible to have the largest PREFLEN
value in the huffman table to be > 32. This will, potentially, cause the
calcuation of ((FIRSTCODE[i - 1] + LENCOUNT[i - 1]) << 1 to overflow the
int value and cause a negative shift.
This Cl checks the shift value and failes the initialization if we would
shift a negative value.
Bug: chromium:709781
Change-Id: Ia165a01ba9412e31c5e5a43717d415fcb42eafe5
Reviewed-on: https://pdfium-review.googlesource.com/3990
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 15 | ||||
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_HuffmanTable.h | 2 |
2 files changed, 12 insertions, 5 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp index baf97567fb..3bb6ae620c 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -97,11 +97,10 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) { ++NTEMP; } - InitCodes(); - return true; + return InitCodes(); } -void CJBig2_HuffmanTable::InitCodes() { +bool CJBig2_HuffmanTable::InitCodes() { int lenmax = 0; for (uint32_t i = 0; i < NTEMP; ++i) lenmax = std::max(PREFLEN[i], lenmax); @@ -115,13 +114,21 @@ void CJBig2_HuffmanTable::InitCodes() { FIRSTCODE[0] = 0; LENCOUNT[0] = 0; for (int i = 1; i <= lenmax; ++i) { - FIRSTCODE[i] = (FIRSTCODE[i - 1] + LENCOUNT[i - 1]) << 1; + pdfium::base::CheckedNumeric<int> shifted; + shifted = FIRSTCODE[i - 1] + LENCOUNT[i - 1]; + shifted <<= 1; + if (!shifted.IsValid()) + return false; + + FIRSTCODE[i] = shifted.ValueOrDie(); int CURCODE = FIRSTCODE[i]; for (uint32_t j = 0; j < NTEMP; ++j) { if (PREFLEN[j] == i) CODES[j] = CURCODE++; } } + + return true; } void CJBig2_HuffmanTable::ExtendBuffers(bool increment) { diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.h b/core/fxcodec/jbig2/JBig2_HuffmanTable.h index 58a3124881..b49fcebc9c 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.h +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.h @@ -35,7 +35,7 @@ class CJBig2_HuffmanTable { private: void ParseFromStandardTable(const JBig2TableLine* pTable); bool ParseFromCodedBuffer(CJBig2_BitStream* pStream); - void InitCodes(); + bool InitCodes(); void ExtendBuffers(bool increment); bool m_bOK; |