summaryrefslogtreecommitdiff
path: root/core/fxcodec/jbig2/JBig2_TrdProc.cpp
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-10-23 14:24:06 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-10-23 22:40:14 +0000
commitebdba614b9683ddd1d50e8960639bc54c9d4bb7a (patch)
tree97ac6040c9a9e33d6381f23effd2ea54129c499a /core/fxcodec/jbig2/JBig2_TrdProc.cpp
parentc9d0bcccbd4cc460bb3e26f767eea2d33a5b48b6 (diff)
downloadpdfium-ebdba614b9683ddd1d50e8960639bc54c9d4bb7a.tar.xz
Fix some integer overflows in CJBig2_TRDProc
Bug: 649278 Change-Id: Ib9084f6d9bb7dc7bf3713faa22d3a26822a96681 Reviewed-on: https://pdfium-review.googlesource.com/16550 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2/JBig2_TrdProc.cpp')
-rw-r--r--core/fxcodec/jbig2/JBig2_TrdProc.cpp11
1 files changed, 8 insertions, 3 deletions
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index d513637a9d..2724d1de49 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -249,10 +249,11 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith(
}
auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
SBREG->fill(SBDEFPIXEL);
- int32_t STRIPT;
- if (!pIADT->decode(pArithDecoder, &STRIPT))
+ int32_t INITIAL_STRIPT;
+ if (!pIADT->decode(pArithDecoder, &INITIAL_STRIPT))
return nullptr;
+ FX_SAFE_INT32 STRIPT = INITIAL_STRIPT;
STRIPT *= SBSTRIPS;
STRIPT = -STRIPT;
int32_t FIRSTS = 0;
@@ -287,7 +288,11 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith(
if (SBSTRIPS != 1)
pIAIT->decode(pArithDecoder, &CURT);
- int32_t TI = STRIPT + CURT;
+ FX_SAFE_INT32 SAFE_TI = STRIPT + CURT;
+ if (!SAFE_TI.IsValid())
+ return nullptr;
+
+ int32_t TI = SAFE_TI.ValueOrDie();
uint32_t IDI;
pIAID->decode(pArithDecoder, &IDI);
if (IDI >= SBNUMSYMS)