diff options
| author | Dan Sinclair <dsinclair@chromium.org> | 2017-04-10 17:32:01 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-04-10 22:10:26 +0000 |
| commit | 96e65ae3a3a328022f025805e9db02cbed1b5607 (patch) | |
| tree | a0db27e242ad8dfaf159aebfdb939ceb6bd3fc1c /core/fxcodec | |
| parent | 0c820a2c5e2c197c0f436f2ac9e4f49207a79c4f (diff) | |
| download | pdfium-96e65ae3a3a328022f025805e9db02cbed1b5607.tar.xz | |
Guard against negative shift in nVal calculation
It's possible for the nVal to become negative as it is shifted. This Cl
changes nVal to be a checked_numeric and bails out if the shift is invalid.
Bug: chromium:708504
Change-Id: Ia2ebbc828ece7f7d443432542784b39defe6a897
Reviewed-on: https://pdfium-review.googlesource.com/4010
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core/fxcodec')
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_TrdProc.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index cf58d9c3c6..f681e05569 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -69,7 +69,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, CURT = nVal; } int32_t TI = STRIPT + CURT; - int32_t nVal = 0; + pdfium::base::CheckedNumeric<int32_t> nVal = 0; int32_t nBits = 0; uint32_t IDI; for (;;) { @@ -77,11 +77,15 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, if (pStream->read1Bit(&nTmp) != 0) return nullptr; - nVal = (nVal << 1) | nTmp; + nVal <<= 1; + if (!nVal.IsValid()) + return nullptr; + + nVal |= nTmp; nBits++; for (IDI = 0; IDI < SBNUMSYMS; IDI++) { if ((nBits == SBSYMCODES[IDI].codelen) && - (nVal == SBSYMCODES[IDI].code)) { + (nVal.ValueOrDie() == SBSYMCODES[IDI].code)) { break; } } @@ -101,11 +105,12 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, int32_t RDHI; int32_t RDXI; int32_t RDYI; + int32_t HUFFRSIZE; if ((pHuffmanDecoder->decodeAValue(SBHUFFRDW, &RDWI) != 0) || (pHuffmanDecoder->decodeAValue(SBHUFFRDH, &RDHI) != 0) || (pHuffmanDecoder->decodeAValue(SBHUFFRDX, &RDXI) != 0) || (pHuffmanDecoder->decodeAValue(SBHUFFRDY, &RDYI) != 0) || - (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &nVal) != 0)) { + (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &HUFFRSIZE) != 0)) { return nullptr; } pStream->alignByte(); @@ -141,7 +146,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, pStream->alignByte(); pStream->offset(2); - if ((uint32_t)nVal != (pStream->getOffset() - nTmp)) { + if (static_cast<uint32_t>(HUFFRSIZE) != (pStream->getOffset() - nTmp)) { delete IBI; return nullptr; } |