diff options
author | Lei Zhang <thestig@chromium.org> | 2018-04-27 14:36:57 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-27 14:36:57 +0000 |
commit | 7f41d68152885d9b391fd9cc96d9754969b78369 (patch) | |
tree | a00fd4021b79512c8a37cf78aeed3bbb66c2ce6e /core/fxcodec/jbig2/JBig2_Context.cpp | |
parent | 575f238334d13ab7bc7920eee23c108ef3b0bbed (diff) | |
download | pdfium-7f41d68152885d9b391fd9cc96d9754969b78369.tar.xz |
Sanitize the SBNUMINSTANCES value in the JBIG2 decoder.
BUG=chromium:837192
Change-Id: Ib9c0e7b4aeb6501e81308844d344a784f7c138d8
Reviewed-on: https://pdfium-review.googlesource.com/31490
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_Context.cpp')
-rw-r--r-- | core/fxcodec/jbig2/JBig2_Context.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp index 57bae1c617..88c8cfa21c 100644 --- a/core/fxcodec/jbig2/JBig2_Context.cpp +++ b/core/fxcodec/jbig2/JBig2_Context.cpp @@ -689,6 +689,16 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) { if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0) return JBIG2_ERROR_TOO_SHORT; + // Assume each instance takes at least 4 bits. That means for a stream of + // length N, there can be at most 2N instances. This is an extremely + // conservative estimate just to sanitize the |SBNUMINSTANCES| value. + // Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs + // have a maximum size of roughly 11 GB. + FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength(); + nMaxStripInstances *= 2; + if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie()) + return JBIG2_ERROR_FATAL; + for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) { if (!findSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i])) return JBIG2_ERROR_FATAL; |