Skip decoding of excessively large JBIG2 images.

BUG=chromium:749610.

Change-Id: I4de7855aec552e6c143e7a8be6b90e44945a0fcb
Reviewed-on: https://pdfium-review.googlesource.com/11930
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

1 files changed, 5 insertions, 2 deletions

diff --git a/core/fxcodec/jbig2/JBig2_GrdProc.cpp b/core/fxcodec/jbig2/JBig2_GrdProc.cpp
index 764723bc6d..1d76f9053d 100644
--- a/core/fxcodec/jbig2/JBig2_GrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_GrdProc.cpp
@@ -45,8 +45,10 @@ bool CJBig2_GRDProc::UseTemplate23Opt3() const {
 std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::decode_Arith(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* gbContext) {
-  if (GBW == 0 || GBH == 0)
+  if (GBW == 0 || GBW > JBIG2_MAX_IMAGE_SIZE || GBH == 0 ||
+      GBH > JBIG2_MAX_IMAGE_SIZE) {
     return pdfium::MakeUnique<CJBig2_Image>(GBW, GBH);
+  }
 
   if (GBTEMPLATE == 0) {
     if (UseTemplate0Opt3())
@@ -639,7 +641,8 @@ FXCODEC_STATUS CJBig2_GRDProc::Start_decode_Arith(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* gbContext,
     IFX_Pause* pPause) {
-  if (GBW == 0 || GBH == 0) {
+  if (GBW == 0 || GBW > JBIG2_MAX_IMAGE_SIZE || GBH == 0 ||
+      GBH > JBIG2_MAX_IMAGE_SIZE) {
     m_ProssiveStatus = FXCODEC_STATUS_DECODE_FINISH;
     return FXCODEC_STATUS_DECODE_FINISH;
   }