summaryrefslogtreecommitdiff
path: root/core/fxcodec
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-05-02 14:33:54 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-05-02 14:33:54 +0000
commit28cad1534619d55820593baed0b6d6f3cbf767eb (patch)
tree365208753d9b2957c5b091165c03c01478bb9436 /core/fxcodec
parente77cccd4fe7e5b6707370ea7b67e6e303fe2764b (diff)
downloadpdfium-28cad1534619d55820593baed0b6d6f3cbf767eb.tar.xz
Make several Huffman decoders consistently check for integer overflows.
BUG=chromium:837972 Change-Id: I6cfa28bff38870419e4b1e2bced427cfcbf843cd Reviewed-on: https://pdfium-review.googlesource.com/31912 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec')
-rw-r--r--core/fxcodec/jbig2/JBig2_Context.cpp14
-rw-r--r--core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp10
-rw-r--r--core/fxcodec/jbig2/JBig2_TrdProc.cpp14
3 files changed, 24 insertions, 14 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 1763144b49..b753380aa2 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -23,6 +23,7 @@
#include "core/fxcodec/jbig2/JBig2_PddProc.h"
#include "core/fxcodec/jbig2/JBig2_SddProc.h"
#include "core/fxcodec/jbig2/JBig2_TrdProc.h"
+#include "core/fxcrt/fx_safe_types.h"
#include "core/fxcrt/pauseindicator_iface.h"
#include "third_party/base/ptr_util.h"
@@ -1269,17 +1270,20 @@ std::vector<JBig2HuffmanCode> CJBig2_Context::DecodeSymbolIDHuffmanTable(
int32_t i = 0;
while (i < static_cast<int>(SBNUMSYMS)) {
size_t j;
- int32_t nVal = 0;
+ FX_SAFE_INT32 nSafeVal = 0;
int32_t nBits = 0;
uint32_t nTemp;
while (true) {
- if (nVal > std::numeric_limits<int32_t>::max() / 2 ||
- m_pStream->read1Bit(&nTemp) != 0) {
+ if (m_pStream->read1Bit(&nTemp) != 0)
+ return std::vector<JBig2HuffmanCode>();
+
+ nSafeVal <<= 1;
+ if (!nSafeVal.IsValid())
return std::vector<JBig2HuffmanCode>();
- }
- nVal = (nVal << 1) | nTemp;
+ nSafeVal |= nTemp;
++nBits;
+ const int32_t nVal = nSafeVal.ValueOrDie();
for (j = 0; j < kRunCodesSize; ++j) {
if (nBits == huffman_codes[j].codelen && nVal == huffman_codes[j].code)
break;
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp b/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp
index cdb6fbe752..7f250a5d08 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp
@@ -7,6 +7,7 @@
#include "core/fxcodec/jbig2/JBig2_HuffmanDecoder.h"
#include "core/fxcodec/jbig2/JBig2_Define.h"
+#include "core/fxcrt/fx_safe_types.h"
CJBig2_HuffmanDecoder::CJBig2_HuffmanDecoder(CJBig2_BitStream* pStream)
: m_pStream(pStream) {}
@@ -15,15 +16,20 @@ CJBig2_HuffmanDecoder::~CJBig2_HuffmanDecoder() {}
int CJBig2_HuffmanDecoder::DecodeAValue(CJBig2_HuffmanTable* pTable,
int* nResult) {
- int nVal = 0;
+ FX_SAFE_INT32 nSafeVal = 0;
int nBits = 0;
while (1) {
uint32_t nTmp;
if (m_pStream->read1Bit(&nTmp) == -1)
break;
- nVal = (nVal << 1) | nTmp;
+ nSafeVal <<= 1;
+ if (!nSafeVal.IsValid())
+ break;
+
+ nSafeVal |= nTmp;
++nBits;
+ const int32_t nVal = nSafeVal.ValueOrDie();
for (uint32_t i = 0; i < pTable->Size(); ++i) {
const JBig2HuffmanCode& code = pTable->GetCODES()[i];
if (code.codelen != nBits || code.code != nVal)
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index b59f63bab4..ff94309bc4 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -12,6 +12,7 @@
#include "core/fxcodec/jbig2/JBig2_ArithIntDecoder.h"
#include "core/fxcodec/jbig2/JBig2_GrrdProc.h"
#include "core/fxcodec/jbig2/JBig2_HuffmanDecoder.h"
+#include "core/fxcrt/fx_safe_types.h"
#include "core/fxcrt/maybe_owned.h"
#include "third_party/base/ptr_util.h"
@@ -81,7 +82,7 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeHuffman(
return nullptr;
int32_t TI = SAFE_TI.ValueOrDie();
- pdfium::base::CheckedNumeric<int32_t> nVal = 0;
+ FX_SAFE_INT32 nSafeVal = 0;
int32_t nBits = 0;
uint32_t IDI;
for (;;) {
@@ -89,17 +90,16 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeHuffman(
if (pStream->read1Bit(&nTmp) != 0)
return nullptr;
- nVal <<= 1;
- if (!nVal.IsValid())
+ nSafeVal <<= 1;
+ if (!nSafeVal.IsValid())
return nullptr;
- nVal |= nTmp;
+ nSafeVal |= nTmp;
++nBits;
+ const int32_t nVal = nSafeVal.ValueOrDie();
for (IDI = 0; IDI < SBNUMSYMS; ++IDI) {
- if ((nBits == SBSYMCODES[IDI].codelen) &&
- (nVal.ValueOrDie() == SBSYMCODES[IDI].code)) {
+ if (nBits == SBSYMCODES[IDI].codelen && nVal == SBSYMCODES[IDI].code)
break;
- }
}
if (IDI < SBNUMSYMS)
break;