diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-11-30 18:10:11 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-11-30 18:10:11 +0000 |
| commit | fee910e6f81fd199bfe4fd62ea538d1bc33056a8 (patch) | |
| tree | cf35f656740661f9ff6e9a762da1024fa7802f75 | |
| parent | 646257d65c653acdf2bea96c69e0550ca03340c6 (diff) | |
| download | pdfium-fee910e6f81fd199bfe4fd62ea538d1bc33056a8.tar.xz | |
Prevent integer overflow in CJBig2_HuffmanTable::ParseFromCodedBuffer
In this CL we prevent integer overflow by checking that the integers are
in the appropriate range before casting from unsigned to signed.
Bug: 789524
Change-Id: I41572849f18ffb0f0739c80130ee6b5061845d29
Reviewed-on: https://pdfium-review.googlesource.com/20011
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp index a4998e99cf..1127f52a52 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -7,6 +7,7 @@ #include "core/fxcodec/jbig2/JBig2_HuffmanTable.h" #include <algorithm> +#include <limits> #include <vector> #include "core/fxcodec/jbig2/JBig2_BitStream.h" @@ -52,7 +53,9 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) { uint32_t HTLOW; uint32_t HTHIGH; if (pStream->readInteger(&HTLOW) == -1 || - pStream->readInteger(&HTHIGH) == -1) { + pStream->readInteger(&HTHIGH) == -1 || + HTLOW > static_cast<uint32_t>(std::numeric_limits<int>::max()) || + HTHIGH > static_cast<uint32_t>(std::numeric_limits<int>::max())) { return false; } |