summaryrefslogtreecommitdiff
path: root/core/fxcodec
diff options
context:
space:
mode:
authorkcwu <kcwu@chromium.org>2016-10-06 12:29:13 -0700
committerCommit bot <commit-bot@chromium.org>2016-10-06 12:29:13 -0700
commit587ec1975017ecbf13c1c3faf64c1008a95846f2 (patch)
treedd05e288f515fe076566d35b17053090a379cd05 /core/fxcodec
parent065c35006d96eaca324f49248d20d83709a25fbe (diff)
downloadpdfium-587ec1975017ecbf13c1c3faf64c1008a95846f2.tar.xz
Reject JBig2 Huffman table with too large shift value
BUG=chromium:653044 Review-Url: https://codereview.chromium.org/2397783002
Diffstat (limited to 'core/fxcodec')
-rw-r--r--core/fxcodec/jbig2/JBig2_HuffmanTable.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 3b34018c2d..26f0e52310 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -64,7 +64,8 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
int cur_low = low;
do {
if ((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) ||
- (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) {
+ (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1) ||
+ (static_cast<size_t>(RANGELEN[NTEMP]) >= 8 * sizeof(cur_low))) {
return false;
}
RANGELOW[NTEMP] = cur_low;