summaryrefslogtreecommitdiff
path: root/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp
diff options
context:
space:
mode:
authorHenrique Nakashima <hnakashima@chromium.org>2017-09-14 17:31:07 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-09-14 21:43:02 +0000
commit3cb71268405f64b98109853bd3b59e50db58692d (patch)
tree455602111b90ab2df4bebb7a4ec8b463a90314dc /core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp
parentf0947bd79c1c8e2bdddc97acb5b5e1cf7bd9164b (diff)
downloadpdfium-3cb71268405f64b98109853bd3b59e50db58692d.tar.xz
Fix decoding of JBIG2 integers for values with large magnitude.
Now considering anything not representable by a 32-bit signed int as OOB rather than decoding some arbitrary overflowed value. Bug: chromium:761666 Change-Id: I00f5a3abadca51f9bedc5e5d78f7f184040c2f33 Reviewed-on: https://pdfium-review.googlesource.com/14010 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp')
-rw-r--r--core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp16
1 files changed, 14 insertions, 2 deletions
diff --git a/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp b/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp
index 1701538b4f..7ed7702964 100644
--- a/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp
+++ b/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp
@@ -49,6 +49,9 @@ CJBig2_ArithIntDecoder::~CJBig2_ArithIntDecoder() {}
bool CJBig2_ArithIntDecoder::decode(CJBig2_ArithDecoder* pArithDecoder,
int* nResult) {
+ // This decoding algorithm is explained in "Annex A - Arithmetic Integer
+ // Decoding Procedure" on page 113 of the JBIG2 specification (ISO/IEC FCD
+ // 14492).
int PREV = 1;
const int S = pArithDecoder->DECODE(&m_IAx[PREV]);
PREV = ShiftOr(PREV, S);
@@ -64,8 +67,17 @@ bool CJBig2_ArithIntDecoder::decode(CJBig2_ArithDecoder* pArithDecoder,
PREV = (PREV & 511) | 256;
nTemp = ShiftOr(nTemp, D);
}
- int nValue = g_ArithIntDecodeData[nDecodeDataIndex].nValue;
- nValue += nTemp;
+ pdfium::base::CheckedNumeric<int> safeValue =
+ g_ArithIntDecodeData[nDecodeDataIndex].nValue;
+ safeValue += nTemp;
+
+ // Value does not fit in int.
+ if (!safeValue.IsValid()) {
+ *nResult = 0;
+ return false;
+ }
+
+ int nValue = safeValue.ValueOrDie();
if (S == 1 && nValue > 0)
nValue = -nValue;