diff options
author | Nicolas Pena <npm@chromium.org> | 2017-10-30 19:30:52 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-10-30 19:30:52 +0000 |
commit | 956cb632e00558d20ccf756ebc286bce2674e774 (patch) | |
tree | f2a48e13602676084cb72c07315f3ebba5f13202 /core/fxcodec/jbig2 | |
parent | 3de090d52aa629f3bbded16ce7069a8b25bbbc46 (diff) | |
download | pdfium-956cb632e00558d20ccf756ebc286bce2674e774.tar.xz |
More safe ints in CJBig2_TRDProc
Bug: chromium:778961
Change-Id: I1d08b3282304931276c24e50392c10b21780dcde
Reviewed-on: https://pdfium-review.googlesource.com/16971
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2')
-rw-r--r-- | core/fxcodec/jbig2/JBig2_TrdProc.cpp | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index 2724d1de49..f033c9bfea 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -25,10 +25,11 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Huffman( auto pHuffmanDecoder = pdfium::MakeUnique<CJBig2_HuffmanDecoder>(pStream); auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH); SBREG->fill(SBDEFPIXEL); - int32_t STRIPT; - if (pHuffmanDecoder->decodeAValue(SBHUFFDT, &STRIPT) != 0) + int32_t INITIAL_STRIPT; + if (pHuffmanDecoder->decodeAValue(SBHUFFDT, &INITIAL_STRIPT) != 0) return nullptr; + FX_SAFE_INT32 STRIPT = INITIAL_STRIPT; STRIPT *= SBSTRIPS; STRIPT = -STRIPT; int32_t FIRSTS = 0; @@ -39,9 +40,9 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Huffman( return nullptr; DT *= SBSTRIPS; - STRIPT = STRIPT + DT; + STRIPT += DT; bool bFirst = true; - int32_t CURS = 0; + FX_SAFE_INT32 CURS = 0; for (;;) { if (bFirst) { int32_t DFS; @@ -60,7 +61,8 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Huffman( if (nVal != 0) return nullptr; - CURS = CURS + IDS + SBDSOFFSET; + CURS += IDS; + CURS += SBDSOFFSET; } uint8_t CURT = 0; if (SBSTRIPS != 1) { @@ -73,7 +75,11 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Huffman( CURT = nVal; } - int32_t TI = STRIPT + CURT; + FX_SAFE_INT32 SAFE_TI = STRIPT + CURT; + if (!SAFE_TI.IsValid()) + return nullptr; + + int32_t TI = SAFE_TI.ValueOrDie(); pdfium::base::CheckedNumeric<int32_t> nVal = 0; int32_t nBits = 0; uint32_t IDI; @@ -160,12 +166,15 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Huffman( uint32_t HI = IBI->height(); if (TRANSPOSED == 0 && ((REFCORNER == JBIG2_CORNER_TOPRIGHT) || (REFCORNER == JBIG2_CORNER_BOTTOMRIGHT))) { - CURS = CURS + WI - 1; + CURS += WI - 1; } else if (TRANSPOSED == 1 && ((REFCORNER == JBIG2_CORNER_BOTTOMLEFT) || (REFCORNER == JBIG2_CORNER_BOTTOMRIGHT))) { - CURS = CURS + HI - 1; + CURS += HI - 1; } - int32_t SI = CURS; + if (!CURS.IsValid()) + return nullptr; + + int32_t SI = CURS.ValueOrDie(); if (TRANSPOSED == 0) { switch (REFCORNER) { case JBIG2_CORNER_TOPLEFT: @@ -199,10 +208,10 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Huffman( } if (TRANSPOSED == 0 && ((REFCORNER == JBIG2_CORNER_TOPLEFT) || (REFCORNER == JBIG2_CORNER_BOTTOMLEFT))) { - CURS = CURS + WI - 1; + CURS += WI - 1; } else if (TRANSPOSED == 1 && ((REFCORNER == JBIG2_CORNER_TOPLEFT) || (REFCORNER == JBIG2_CORNER_TOPRIGHT))) { - CURS = CURS + HI - 1; + CURS += HI - 1; } NINSTANCES = NINSTANCES + 1; } @@ -259,7 +268,7 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith( int32_t FIRSTS = 0; uint32_t NINSTANCES = 0; while (NINSTANCES < SBNUMINSTANCES) { - int32_t CURS = 0; + FX_SAFE_INT32 CURS = 0; int32_t DT; if (!pIADT->decode(pArithDecoder, &DT)) return nullptr; @@ -279,7 +288,8 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith( if (!pIADS->decode(pArithDecoder, &IDS)) break; - CURS += IDS + SBDSOFFSET; + CURS += IDS; + CURS += SBDSOFFSET; } if (NINSTANCES >= SBNUMINSTANCES) break; @@ -353,7 +363,10 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith( (REFCORNER == JBIG2_CORNER_BOTTOMRIGHT))) { CURS += HI - 1; } - int32_t SI = CURS; + if (!CURS.IsValid()) + return nullptr; + + int32_t SI = CURS.ValueOrDie(); if (TRANSPOSED == 0) { switch (REFCORNER) { case JBIG2_CORNER_TOPLEFT: |