Sanitize another image size in CJBig2_Context::parseHalftoneRegion().

BUG=chromium:836872 Change-Id: I0362fd7708043648bffa26c9248b401ea2793a21 Reviewed-on: https://pdfium-review.googlesource.com/31510 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
author: Lei Zhang <thestig@chromium.org> 2018-04-27 16:53:49 +0000
committer: Chromium commit bot <commit-bot@chromium.org> 2018-04-27 16:53:49 +0000
commit: 0e3635c59e79e8ca782412fa1bcf377c7c4f980e (patch)
tree: 4760b2948bf06f61b0c636c2d044a6be8a1d0f12
parent: b1b01de0285c77f16a72736bf6abeb9598743b0a (diff)
download: pdfium-0e3635c59e79e8ca782412fa1bcf377c7c4f980e.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 88c8cfa21c..c8095c8448 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -995,8 +995,10 @@ int32_t CJBig2_Context::parseHalftoneRegion(CJBig2_Segment* pSegment,
     return JBIG2_ERROR_TOO_SHORT;
   }
 
-  if (pHRD->HGW == 0 || pHRD->HGH == 0)
+  if (pHRD->HGW == 0 || pHRD->HGW > JBIG2_MAX_IMAGE_SIZE || pHRD->HGH == 0 ||
+      pHRD->HGH > JBIG2_MAX_IMAGE_SIZE) {
     return JBIG2_ERROR_FATAL;
+  }
 
   if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 ||
       ri.height > JBIG2_MAX_IMAGE_SIZE) {
author	Lei Zhang <thestig@chromium.org>	2018-04-27 16:53:49 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	2018-04-27 16:53:49 +0000
commit	0e3635c59e79e8ca782412fa1bcf377c7c4f980e (patch)
tree	4760b2948bf06f61b0c636c2d044a6be8a1d0f12
parent	b1b01de0285c77f16a72736bf6abeb9598743b0a (diff)
download	pdfium-0e3635c59e79e8ca782412fa1bcf377c7c4f980e.tar.xz