diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-11-08 17:39:12 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-11-08 17:39:12 +0000 |
| commit | 7055dffad92bd7be7cdb20ed12d5cc5890177e7a (patch) | |
| tree | e12e7bb8caa56d9a6dc00f40f471ade6d68fbac0 /core/fxcodec/jbig2/JBig2_Context.cpp | |
| parent | 269ef77ccbb20db68c0b5049bb6a3a867623db64 (diff) | |
| download | pdfium-7055dffad92bd7be7cdb20ed12d5cc5890177e7a.tar.xz | |
Prevent cyclic offset on CJBig2_Context
This CL changes the type of |m_dwOffset| to safe unsigned integer to
prevent the offset from cycling from MAX_UINT32 back to 0.
Bug: chromium:778912
Change-Id: Ib93a8392e52eecf2cc223438ac85e9dc529b0f43
Reviewed-on: https://pdfium-review.googlesource.com/18130
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_Context.cpp')
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_Context.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp index 53e6b7a84a..6985c0e927 100644 --- a/core/fxcodec/jbig2/JBig2_Context.cpp +++ b/core/fxcodec/jbig2/JBig2_Context.cpp @@ -101,7 +101,10 @@ int32_t CJBig2_Context::decode_SquentialOrgnazation( } if (m_pSegment->m_dwData_length != 0xffffffff) { m_dwOffset += m_pSegment->m_dwData_length; - m_pStream->setOffset(m_dwOffset); + if (!m_dwOffset.IsValid()) + return JBIG2_ERROR_FATAL; + + m_pStream->setOffset(m_dwOffset.ValueOrDie()); } else { m_pStream->offset(4); } |