summaryrefslogtreecommitdiff
path: root/core/fxcodec/jbig2/JBig2_Context.cpp
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-04-23 16:29:47 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-04-23 16:29:47 +0000
commitcca452eab645fd6b0e63ab2fd1dd553277df111e (patch)
treecfeaf9dc418d59060d8bc456f276ba0dd7a1b8b4 /core/fxcodec/jbig2/JBig2_Context.cpp
parentdd2a629f9ede484e0e570ce09d1e9d8906aa11be (diff)
downloadpdfium-cca452eab645fd6b0e63ab2fd1dd553277df111e.tar.xz
Add more image size checks in CJBig2_Context.
BUG=chromium:834557 Change-Id: I8fb8d74f87097b39608c3f83f2fa1c4e49e69980 Reviewed-on: https://pdfium-review.googlesource.com/31170 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_Context.cpp')
-rw-r--r--core/fxcodec/jbig2/JBig2_Context.cpp14
1 files changed, 14 insertions, 0 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 3d823c7b19..57bae1c617 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -637,6 +637,10 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
m_pStream->readShortInteger(&wFlags) != 0) {
return JBIG2_ERROR_TOO_SHORT;
}
+ if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 ||
+ ri.height > JBIG2_MAX_IMAGE_SIZE) {
+ return JBIG2_ERROR_FATAL;
+ }
auto pTRD = pdfium::MakeUnique<CJBig2_TRDProc>();
pTRD->SBW = ri.width;
@@ -984,6 +988,11 @@ int32_t CJBig2_Context::parseHalftoneRegion(CJBig2_Segment* pSegment,
if (pHRD->HGW == 0 || pHRD->HGH == 0)
return JBIG2_ERROR_FATAL;
+ if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 ||
+ ri.height > JBIG2_MAX_IMAGE_SIZE) {
+ return JBIG2_ERROR_FATAL;
+ }
+
pHRD->HBW = ri.width;
pHRD->HBH = ri.height;
pHRD->HMMR = cFlags & 0x01;
@@ -1148,6 +1157,11 @@ int32_t CJBig2_Context::parseGenericRefinementRegion(CJBig2_Segment* pSegment) {
m_pStream->read1Byte(&cFlags) != 0) {
return JBIG2_ERROR_TOO_SHORT;
}
+ if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 ||
+ ri.height > JBIG2_MAX_IMAGE_SIZE) {
+ return JBIG2_ERROR_FATAL;
+ }
+
auto pGRRD = pdfium::MakeUnique<CJBig2_GRRDProc>();
pGRRD->GRW = ri.width;
pGRRD->GRH = ri.height;