diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-12-01 21:40:23 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-12-01 21:40:23 +0000 |
| commit | dca380ffe0571be4023b11b06b8aecad9934bb06 (patch) | |
| tree | 17daabe5cc361a543dd69f8f783c34f5a5a598d4 /core/fxcodec/jbig2/JBig2_SddProc.cpp | |
| parent | 752e9bf892abdf1ee588ba87c857d0783a017b27 (diff) | |
| download | pdfium-dca380ffe0571be4023b11b06b8aecad9934bb06.tar.xz | |
Check for success of decodes to avoid infinite loops
Bug: 790693
Change-Id: I9b1d87e024229d8b01f55ec554e2cc544db6ac06
Reviewed-on: https://pdfium-review.googlesource.com/20230
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_SddProc.cpp')
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_SddProc.cpp | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/core/fxcodec/jbig2/JBig2_SddProc.cpp b/core/fxcodec/jbig2/JBig2_SddProc.cpp index 45aa22e655..43768bd823 100644 --- a/core/fxcodec/jbig2/JBig2_SddProc.cpp +++ b/core/fxcodec/jbig2/JBig2_SddProc.cpp @@ -68,7 +68,9 @@ std::unique_ptr<CJBig2_SymbolDict> CJBig2_SDDProc::decode_Arith( NSYMSDECODED = 0; while (NSYMSDECODED < SDNUMNEWSYMS) { std::unique_ptr<CJBig2_Image> BS; - IADH->decode(pArithDecoder, &HCDH); + if (!IADH->decode(pArithDecoder, &HCDH)) + return nullptr; + HCHEIGHT = HCHEIGHT + HCDH; if ((int)HCHEIGHT < 0 || (int)HCHEIGHT > JBIG2_MAX_IMAGE_SIZE) return nullptr; @@ -113,7 +115,8 @@ std::unique_ptr<CJBig2_SymbolDict> CJBig2_SDDProc::decode_Arith( if (!BS) return nullptr; } else { - IAAI->decode(pArithDecoder, (int*)&REFAGGNINST); + if (!IAAI->decode(pArithDecoder, reinterpret_cast<int*>(&REFAGGNINST))) + return nullptr; if (REFAGGNINST > 1) { auto pDecoder = pdfium::MakeUnique<CJBig2_TRDProc>(); pDecoder->SBHUFF = SDHUFF; @@ -186,12 +189,11 @@ std::unique_ptr<CJBig2_SymbolDict> CJBig2_SDDProc::decode_Arith( } else if (REFAGGNINST == 1) { SBNUMSYMS = SDNUMINSYMS + NSYMSDECODED; uint32_t IDI; - IAID->decode(pArithDecoder, &IDI); - IARDX->decode(pArithDecoder, &RDXI); - IARDY->decode(pArithDecoder, &RDYI); - if (IDI >= SBNUMSYMS) + if (!IAID->decode(pArithDecoder, &IDI) || + !IARDX->decode(pArithDecoder, &RDXI) || + !IARDY->decode(pArithDecoder, &RDYI) || IDI >= SBNUMSYMS) { return nullptr; - + } SBSYMS.resize(SBNUMSYMS); std::copy(SDINSYMS, SDINSYMS + SDNUMINSYMS, SBSYMS.begin()); for (size_t i = 0; i < NSYMSDECODED; ++i) @@ -225,10 +227,10 @@ std::unique_ptr<CJBig2_SymbolDict> CJBig2_SDDProc::decode_Arith( EXFLAGS.resize(SDNUMINSYMS + SDNUMNEWSYMS); num_ex_syms = 0; while (EXINDEX < SDNUMINSYMS + SDNUMNEWSYMS) { - IAEX->decode(pArithDecoder, (int*)&EXRUNLENGTH); - if (EXINDEX + EXRUNLENGTH > SDNUMINSYMS + SDNUMNEWSYMS) + if (!IAEX->decode(pArithDecoder, (int*)&EXRUNLENGTH) || + EXINDEX + EXRUNLENGTH > SDNUMINSYMS + SDNUMNEWSYMS) { return nullptr; - + } if (EXRUNLENGTH != 0) { for (I = EXINDEX; I < EXINDEX + EXRUNLENGTH; I++) { if (CUREXFLAG) |