diff options
author | Lei Zhang <thestig@chromium.org> | 2018-05-02 14:33:54 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-05-02 14:33:54 +0000 |
commit | 28cad1534619d55820593baed0b6d6f3cbf767eb (patch) | |
tree | 365208753d9b2957c5b091165c03c01478bb9436 /core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp | |
parent | e77cccd4fe7e5b6707370ea7b67e6e303fe2764b (diff) | |
download | pdfium-28cad1534619d55820593baed0b6d6f3cbf767eb.tar.xz |
Make several Huffman decoders consistently check for integer overflows.
BUG=chromium:837972
Change-Id: I6cfa28bff38870419e4b1e2bced427cfcbf843cd
Reviewed-on: https://pdfium-review.googlesource.com/31912
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp')
-rw-r--r-- | core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp b/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp index cdb6fbe752..7f250a5d08 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp @@ -7,6 +7,7 @@ #include "core/fxcodec/jbig2/JBig2_HuffmanDecoder.h" #include "core/fxcodec/jbig2/JBig2_Define.h" +#include "core/fxcrt/fx_safe_types.h" CJBig2_HuffmanDecoder::CJBig2_HuffmanDecoder(CJBig2_BitStream* pStream) : m_pStream(pStream) {} @@ -15,15 +16,20 @@ CJBig2_HuffmanDecoder::~CJBig2_HuffmanDecoder() {} int CJBig2_HuffmanDecoder::DecodeAValue(CJBig2_HuffmanTable* pTable, int* nResult) { - int nVal = 0; + FX_SAFE_INT32 nSafeVal = 0; int nBits = 0; while (1) { uint32_t nTmp; if (m_pStream->read1Bit(&nTmp) == -1) break; - nVal = (nVal << 1) | nTmp; + nSafeVal <<= 1; + if (!nSafeVal.IsValid()) + break; + + nSafeVal |= nTmp; ++nBits; + const int32_t nVal = nSafeVal.ValueOrDie(); for (uint32_t i = 0; i < pTable->Size(); ++i) { const JBig2HuffmanCode& code = pTable->GetCODES()[i]; if (code.codelen != nBits || code.code != nVal) |