diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2017-09-14 17:31:07 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-09-14 21:43:02 +0000 |
commit | 3cb71268405f64b98109853bd3b59e50db58692d (patch) | |
tree | 455602111b90ab2df4bebb7a4ec8b463a90314dc /core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp | |
parent | f0947bd79c1c8e2bdddc97acb5b5e1cf7bd9164b (diff) | |
download | pdfium-3cb71268405f64b98109853bd3b59e50db58692d.tar.xz |
Fix decoding of JBIG2 integers for values with large magnitude.
Now considering anything not representable by a 32-bit signed int
as OOB rather than decoding some arbitrary overflowed value.
Bug: chromium:761666
Change-Id: I00f5a3abadca51f9bedc5e5d78f7f184040c2f33
Reviewed-on: https://pdfium-review.googlesource.com/14010
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp')
-rw-r--r-- | core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp b/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp index 1701538b4f..7ed7702964 100644 --- a/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp +++ b/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp @@ -49,6 +49,9 @@ CJBig2_ArithIntDecoder::~CJBig2_ArithIntDecoder() {} bool CJBig2_ArithIntDecoder::decode(CJBig2_ArithDecoder* pArithDecoder, int* nResult) { + // This decoding algorithm is explained in "Annex A - Arithmetic Integer + // Decoding Procedure" on page 113 of the JBIG2 specification (ISO/IEC FCD + // 14492). int PREV = 1; const int S = pArithDecoder->DECODE(&m_IAx[PREV]); PREV = ShiftOr(PREV, S); @@ -64,8 +67,17 @@ bool CJBig2_ArithIntDecoder::decode(CJBig2_ArithDecoder* pArithDecoder, PREV = (PREV & 511) | 256; nTemp = ShiftOr(nTemp, D); } - int nValue = g_ArithIntDecodeData[nDecodeDataIndex].nValue; - nValue += nTemp; + pdfium::base::CheckedNumeric<int> safeValue = + g_ArithIntDecodeData[nDecodeDataIndex].nValue; + safeValue += nTemp; + + // Value does not fit in int. + if (!safeValue.IsValid()) { + *nResult = 0; + return false; + } + + int nValue = safeValue.ValueOrDie(); if (S == 1 && nValue > 0) nValue = -nValue; |