summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2017-04-10 17:32:01 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-04-10 22:10:26 +0000
commit96e65ae3a3a328022f025805e9db02cbed1b5607 (patch)
treea0db27e242ad8dfaf159aebfdb939ceb6bd3fc1c /core
parent0c820a2c5e2c197c0f436f2ac9e4f49207a79c4f (diff)
downloadpdfium-96e65ae3a3a328022f025805e9db02cbed1b5607.tar.xz
Guard against negative shift in nVal calculation
It's possible for the nVal to become negative as it is shifted. This Cl changes nVal to be a checked_numeric and bails out if the shift is invalid. Bug: chromium:708504 Change-Id: Ia2ebbc828ece7f7d443432542784b39defe6a897 Reviewed-on: https://pdfium-review.googlesource.com/4010 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/jbig2/JBig2_TrdProc.cpp15
1 files changed, 10 insertions, 5 deletions
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index cf58d9c3c6..f681e05569 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -69,7 +69,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
CURT = nVal;
}
int32_t TI = STRIPT + CURT;
- int32_t nVal = 0;
+ pdfium::base::CheckedNumeric<int32_t> nVal = 0;
int32_t nBits = 0;
uint32_t IDI;
for (;;) {
@@ -77,11 +77,15 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
if (pStream->read1Bit(&nTmp) != 0)
return nullptr;
- nVal = (nVal << 1) | nTmp;
+ nVal <<= 1;
+ if (!nVal.IsValid())
+ return nullptr;
+
+ nVal |= nTmp;
nBits++;
for (IDI = 0; IDI < SBNUMSYMS; IDI++) {
if ((nBits == SBSYMCODES[IDI].codelen) &&
- (nVal == SBSYMCODES[IDI].code)) {
+ (nVal.ValueOrDie() == SBSYMCODES[IDI].code)) {
break;
}
}
@@ -101,11 +105,12 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
int32_t RDHI;
int32_t RDXI;
int32_t RDYI;
+ int32_t HUFFRSIZE;
if ((pHuffmanDecoder->decodeAValue(SBHUFFRDW, &RDWI) != 0) ||
(pHuffmanDecoder->decodeAValue(SBHUFFRDH, &RDHI) != 0) ||
(pHuffmanDecoder->decodeAValue(SBHUFFRDX, &RDXI) != 0) ||
(pHuffmanDecoder->decodeAValue(SBHUFFRDY, &RDYI) != 0) ||
- (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &nVal) != 0)) {
+ (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &HUFFRSIZE) != 0)) {
return nullptr;
}
pStream->alignByte();
@@ -141,7 +146,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
pStream->alignByte();
pStream->offset(2);
- if ((uint32_t)nVal != (pStream->getOffset() - nTmp)) {
+ if (static_cast<uint32_t>(HUFFRSIZE) != (pStream->getOffset() - nTmp)) {
delete IBI;
return nullptr;
}