diff options
author | kcwu <kcwu@chromium.org> | 2016-10-06 12:29:13 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-10-06 12:29:13 -0700 |
commit | 587ec1975017ecbf13c1c3faf64c1008a95846f2 (patch) | |
tree | dd05e288f515fe076566d35b17053090a379cd05 /core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | |
parent | 065c35006d96eaca324f49248d20d83709a25fbe (diff) | |
download | pdfium-587ec1975017ecbf13c1c3faf64c1008a95846f2.tar.xz |
Reject JBig2 Huffman table with too large shift value
BUG=chromium:653044
Review-Url: https://codereview.chromium.org/2397783002
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_HuffmanTable.cpp')
-rw-r--r-- | core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp index 3b34018c2d..26f0e52310 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -64,7 +64,8 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) { int cur_low = low; do { if ((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) || - (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) { + (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1) || + (static_cast<size_t>(RANGELEN[NTEMP]) >= 8 * sizeof(cur_low))) { return false; } RANGELOW[NTEMP] = cur_low; |