summaryrefslogtreecommitdiff
path: root/core/fxcodec/jbig2
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-11-30 18:10:11 +0000
committerChromium commit bot <commit-bot@chromium.org>2017-11-30 18:10:11 +0000
commitfee910e6f81fd199bfe4fd62ea538d1bc33056a8 (patch)
treecf35f656740661f9ff6e9a762da1024fa7802f75 /core/fxcodec/jbig2
parent646257d65c653acdf2bea96c69e0550ca03340c6 (diff)
downloadpdfium-fee910e6f81fd199bfe4fd62ea538d1bc33056a8.tar.xz
Prevent integer overflow in CJBig2_HuffmanTable::ParseFromCodedBuffer
In this CL we prevent integer overflow by checking that the integers are in the appropriate range before casting from unsigned to signed. Bug: 789524 Change-Id: I41572849f18ffb0f0739c80130ee6b5061845d29 Reviewed-on: https://pdfium-review.googlesource.com/20011 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Diffstat (limited to 'core/fxcodec/jbig2')
-rw-r--r--core/fxcodec/jbig2/JBig2_HuffmanTable.cpp5
1 files changed, 4 insertions, 1 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index a4998e99cf..1127f52a52 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -7,6 +7,7 @@
#include "core/fxcodec/jbig2/JBig2_HuffmanTable.h"
#include <algorithm>
+#include <limits>
#include <vector>
#include "core/fxcodec/jbig2/JBig2_BitStream.h"
@@ -52,7 +53,9 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
uint32_t HTLOW;
uint32_t HTHIGH;
if (pStream->readInteger(&HTLOW) == -1 ||
- pStream->readInteger(&HTHIGH) == -1) {
+ pStream->readInteger(&HTHIGH) == -1 ||
+ HTLOW > static_cast<uint32_t>(std::numeric_limits<int>::max()) ||
+ HTHIGH > static_cast<uint32_t>(std::numeric_limits<int>::max())) {
return false;
}