M69: Fix a JBIG2 decoding regression.chromium/3497

When trying to sanity check SBNUMINSTANCES for JBIG2 text regions for
https://crbug.com/837192, the check did not take data encoding into
account. Fix this by assuming there is a potential for 16:1 compression
in the lossless encoding.

TBR=rharrison@chromium.org
BUG=chromium:871848

Change-Id: I991dacff9fbefa4e302f5ce92a355902ef94308a
Reviewed-on: https://pdfium-review.googlesource.com/39790
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit b0fc6e958634d919349e2a7611dd99f121e41d7d)
Reviewed-on: https://pdfium-review.googlesource.com/39993
Reviewed-by: Lei Zhang <thestig@chromium.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index ec81990662..5bf9df9dc4 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -649,13 +649,13 @@ JBig2_Result CJBig2_Context::ParseTextRegion(CJBig2_Segment* pSegment) {
   if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0)
     return JBig2_Result::kFailure;
 
-  // Assume each instance takes at least 4 bits. That means for a stream of
-  // length N, there can be at most 2N instances. This is an extremely
+  // Assume each instance takes at least 0.25 bits when encoded. That means for
+  // a stream of length N bytes, there can be at most 32N instances. This is a
   // conservative estimate just to sanitize the |SBNUMINSTANCES| value.
   // Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs
   // have a maximum size of roughly 11 GB.
   FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength();
-  nMaxStripInstances *= 2;
+  nMaxStripInstances *= 32;
   if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie())
     return JBig2_Result::kFailure;