summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-08-10 16:47:57 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-10 16:47:57 +0000
commitb0fc6e958634d919349e2a7611dd99f121e41d7d (patch)
treecc6610035e78f6c54fc7c567474fcb41cac5c7fb /core
parent939426c5cdcbc93f9f197b159133a3b4d735dcb0 (diff)
downloadpdfium-b0fc6e958634d919349e2a7611dd99f121e41d7d.tar.xz
Fix a JBIG2 decoding regression.
When trying to sanity check SBNUMINSTANCES for JBIG2 text regions for https://crbug.com/837192, the check did not take data encoding into account. Fix this by assuming there is a potential for 16:1 compression in the lossless encoding. BUG=chromium:871848 Change-Id: I991dacff9fbefa4e302f5ce92a355902ef94308a Reviewed-on: https://pdfium-review.googlesource.com/39790 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/jbig2/JBig2_Context.cpp6
1 files changed, 3 insertions, 3 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index ec81990662..5bf9df9dc4 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -649,13 +649,13 @@ JBig2_Result CJBig2_Context::ParseTextRegion(CJBig2_Segment* pSegment) {
if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0)
return JBig2_Result::kFailure;
- // Assume each instance takes at least 4 bits. That means for a stream of
- // length N, there can be at most 2N instances. This is an extremely
+ // Assume each instance takes at least 0.25 bits when encoded. That means for
+ // a stream of length N bytes, there can be at most 32N instances. This is a
// conservative estimate just to sanitize the |SBNUMINSTANCES| value.
// Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs
// have a maximum size of roughly 11 GB.
FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength();
- nMaxStripInstances *= 2;
+ nMaxStripInstances *= 32;
if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie())
return JBig2_Result::kFailure;