summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authordsinclair <dsinclair@chromium.org>2016-06-07 09:48:39 -0700
committerCommit bot <commit-bot@chromium.org>2016-06-07 09:48:39 -0700
commit8975902470dbfc15289b69f41e43ad0433ca51ae (patch)
tree8a83a3b3501e00092b11b62e92007141c6e479bd /core
parent720217d3f9e65b8237748f01ffbd4a296f81612e (diff)
downloadpdfium-8975902470dbfc15289b69f41e43ad0433ca51ae.tar.xz
Verify we have a CJBig2_Image before attempting use.
In CJBig2_SDDProc::decode_Arith we will set a SDNEWSYMS value to nullptr if the height or width are 0. With the PDF from the bug, all of the decoders are set to nullptr. Then, we call into CJBig2_TRDProc::decode_Arith and pull out one of the nullptr decoders and attempt to use it, crashing. This CL adds a check that we have a non-null decoder before attempting to use the decoder. BUG=pdfium:511 Review-Url: https://codereview.chromium.org/2048683002
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/jbig2/JBig2_TrdProc.cpp7
-rw-r--r--core/fxcodec/jbig2/JBig2_TrdProc.h1
2 files changed, 5 insertions, 3 deletions
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index 5b0ef19505..177db9dec9 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -324,11 +324,14 @@ CJBig2_Image* CJBig2_TRDProc::decode_Arith(CJBig2_ArithDecoder* pArithDecoder,
pIARDX->decode(pArithDecoder, &RDXI);
pIARDY->decode(pArithDecoder, &RDYI);
CJBig2_Image* IBOI = SBSYMS[IDI];
+ if (!IBOI)
+ return nullptr;
+
uint32_t WOI = IBOI->m_nWidth;
uint32_t HOI = IBOI->m_nHeight;
- if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0) {
+ if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0)
return nullptr;
- }
+
std::unique_ptr<CJBig2_GRRDProc> pGRRD(new CJBig2_GRRDProc());
pGRRD->GRW = WOI + RDWI;
pGRRD->GRH = HOI + RDHI;
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.h b/core/fxcodec/jbig2/JBig2_TrdProc.h
index fdad75fb6e..83e43ec05f 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.h
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.h
@@ -47,7 +47,6 @@ class CJBig2_TRDProc {
JBig2ArithCtx* grContext,
JBig2IntDecoderState* pIDS);
- public:
FX_BOOL SBHUFF;
FX_BOOL SBREFINE;
uint32_t SBW;