Add bounds check into JBIG2 Arith decoder.

Currently when the BitStream runs out of bits it pretends that it
still has content and will continue to return the last byte over and
over again. This Cl updates the jbig decoder to detect that the bit
stream is complete and returns a decode error.

Bug: chromium:665056
Change-Id: I61ca75713e677a2c280e80374b8dcfd48bee67d8
Reviewed-on: https://pdfium-review.googlesource.com/3244
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

1 files changed, 4 insertions, 1 deletions

diff --git a/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp b/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp
index 0d45f57bdf..78c7939458 100644
--- a/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp
+++ b/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp
@@ -56,7 +56,7 @@ int DecodeNLPS(JBig2ArithCtx* pCX, const JBig2ArithQe& qe) {
 }  // namespace
 
 CJBig2_ArithDecoder::CJBig2_ArithDecoder(CJBig2_BitStream* pStream)
-    : m_pStream(pStream) {
+    : m_Complete(false), m_pStream(pStream) {
   m_B = m_pStream->getCurByte_arith();
   m_C = (m_B ^ 0xff) << 16;
   BYTEIN();
@@ -107,6 +107,9 @@ void CJBig2_ArithDecoder::BYTEIN() {
     m_C = m_C + 0xff00 - (m_B << 8);
     m_CT = 8;
   }
+
+  if (!m_pStream->IsInBounds())
+    m_Complete = true;
 }
 
 void CJBig2_ArithDecoder::ReadValueA() {