summaryrefslogtreecommitdiff
path: root/core/fxcodec/jbig2/JBig2_Context.cpp
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-04-27 14:36:57 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-04-27 14:36:57 +0000
commit7f41d68152885d9b391fd9cc96d9754969b78369 (patch)
treea00fd4021b79512c8a37cf78aeed3bbb66c2ce6e /core/fxcodec/jbig2/JBig2_Context.cpp
parent575f238334d13ab7bc7920eee23c108ef3b0bbed (diff)
downloadpdfium-7f41d68152885d9b391fd9cc96d9754969b78369.tar.xz
Sanitize the SBNUMINSTANCES value in the JBIG2 decoder.
BUG=chromium:837192 Change-Id: Ib9c0e7b4aeb6501e81308844d344a784f7c138d8 Reviewed-on: https://pdfium-review.googlesource.com/31490 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_Context.cpp')
-rw-r--r--core/fxcodec/jbig2/JBig2_Context.cpp10
1 files changed, 10 insertions, 0 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 57bae1c617..88c8cfa21c 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -689,6 +689,16 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0)
return JBIG2_ERROR_TOO_SHORT;
+ // Assume each instance takes at least 4 bits. That means for a stream of
+ // length N, there can be at most 2N instances. This is an extremely
+ // conservative estimate just to sanitize the |SBNUMINSTANCES| value.
+ // Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs
+ // have a maximum size of roughly 11 GB.
+ FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength();
+ nMaxStripInstances *= 2;
+ if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie())
+ return JBIG2_ERROR_FATAL;
+
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
if (!findSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]))
return JBIG2_ERROR_FATAL;