diff options
author | dsinclair <dsinclair@chromium.org> | 2016-06-07 09:48:39 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-06-07 09:48:39 -0700 |
commit | 8975902470dbfc15289b69f41e43ad0433ca51ae (patch) | |
tree | 8a83a3b3501e00092b11b62e92007141c6e479bd /core | |
parent | 720217d3f9e65b8237748f01ffbd4a296f81612e (diff) | |
download | pdfium-8975902470dbfc15289b69f41e43ad0433ca51ae.tar.xz |
Verify we have a CJBig2_Image before attempting use.
In CJBig2_SDDProc::decode_Arith we will set a SDNEWSYMS value to nullptr if the
height or width are 0. With the PDF from the bug, all of the decoders are set
to nullptr. Then, we call into CJBig2_TRDProc::decode_Arith and pull out
one of the nullptr decoders and attempt to use it, crashing.
This CL adds a check that we have a non-null decoder before attempting to use
the decoder.
BUG=pdfium:511
Review-Url: https://codereview.chromium.org/2048683002
Diffstat (limited to 'core')
-rw-r--r-- | core/fxcodec/jbig2/JBig2_TrdProc.cpp | 7 | ||||
-rw-r--r-- | core/fxcodec/jbig2/JBig2_TrdProc.h | 1 |
2 files changed, 5 insertions, 3 deletions
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index 5b0ef19505..177db9dec9 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -324,11 +324,14 @@ CJBig2_Image* CJBig2_TRDProc::decode_Arith(CJBig2_ArithDecoder* pArithDecoder, pIARDX->decode(pArithDecoder, &RDXI); pIARDY->decode(pArithDecoder, &RDYI); CJBig2_Image* IBOI = SBSYMS[IDI]; + if (!IBOI) + return nullptr; + uint32_t WOI = IBOI->m_nWidth; uint32_t HOI = IBOI->m_nHeight; - if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0) { + if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0) return nullptr; - } + std::unique_ptr<CJBig2_GRRDProc> pGRRD(new CJBig2_GRRDProc()); pGRRD->GRW = WOI + RDWI; pGRRD->GRH = HOI + RDHI; diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.h b/core/fxcodec/jbig2/JBig2_TrdProc.h index fdad75fb6e..83e43ec05f 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.h +++ b/core/fxcodec/jbig2/JBig2_TrdProc.h @@ -47,7 +47,6 @@ class CJBig2_TRDProc { JBig2ArithCtx* grContext, JBig2IntDecoderState* pIDS); - public: FX_BOOL SBHUFF; FX_BOOL SBREFINE; uint32_t SBW; |