summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/jbig2/JBig2_SddProc.cpp19
1 files changed, 19 insertions, 0 deletions
diff --git a/core/fxcodec/jbig2/JBig2_SddProc.cpp b/core/fxcodec/jbig2/JBig2_SddProc.cpp
index 1a7e96d26b..f6afb13497 100644
--- a/core/fxcodec/jbig2/JBig2_SddProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_SddProc.cpp
@@ -38,6 +38,7 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Arith(
uint32_t SBNUMSYMS;
uint8_t SBSYMCODELEN;
int32_t RDXI, RDYI;
+ uint32_t num_ex_syms;
CJBig2_Image** SBSYMS;
std::unique_ptr<CJBig2_ArithIaidDecoder> IAID;
std::unique_ptr<CJBig2_SymbolDict> pDict;
@@ -235,6 +236,7 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Arith(
EXINDEX = 0;
CUREXFLAG = 0;
EXFLAGS = FX_Alloc(FX_BOOL, SDNUMINSYMS + SDNUMNEWSYMS);
+ num_ex_syms = 0;
while (EXINDEX < SDNUMINSYMS + SDNUMNEWSYMS) {
IAEX->decode(pArithDecoder, (int*)&EXRUNLENGTH);
if (EXINDEX + EXRUNLENGTH > SDNUMINSYMS + SDNUMNEWSYMS) {
@@ -243,12 +245,19 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Arith(
}
if (EXRUNLENGTH != 0) {
for (I = EXINDEX; I < EXINDEX + EXRUNLENGTH; I++) {
+ if (CUREXFLAG)
+ num_ex_syms++;
EXFLAGS[I] = CUREXFLAG;
}
}
EXINDEX = EXINDEX + EXRUNLENGTH;
CUREXFLAG = !CUREXFLAG;
}
+ if (num_ex_syms > SDNUMEXSYMS) {
+ FX_Free(EXFLAGS);
+ goto failed;
+ }
+
pDict.reset(new CJBig2_SymbolDict);
I = J = 0;
for (I = 0; I < SDNUMINSYMS + SDNUMNEWSYMS; I++) {
@@ -303,6 +312,7 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Huffman(
int32_t RDXI, RDYI;
uint32_t BMSIZE;
uint32_t stride;
+ uint32_t num_ex_syms;
CJBig2_Image** SBSYMS;
std::unique_ptr<CJBig2_HuffmanDecoder> pHuffmanDecoder(
new CJBig2_HuffmanDecoder(pStream));
@@ -555,6 +565,7 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Huffman(
pTable.reset(new CJBig2_HuffmanTable(HuffmanTable_B1, HuffmanTable_B1_Size,
HuffmanTable_HTOOB_B1));
EXFLAGS = FX_Alloc(FX_BOOL, SDNUMINSYMS + SDNUMNEWSYMS);
+ num_ex_syms = 0;
while (EXINDEX < SDNUMINSYMS + SDNUMNEWSYMS) {
if (pHuffmanDecoder->decodeAValue(pTable.get(), (int*)&EXRUNLENGTH) != 0) {
FX_Free(EXFLAGS);
@@ -566,12 +577,20 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Huffman(
}
if (EXRUNLENGTH != 0) {
for (I = EXINDEX; I < EXINDEX + EXRUNLENGTH; I++) {
+ if (CUREXFLAG)
+ num_ex_syms++;
+
EXFLAGS[I] = CUREXFLAG;
}
}
EXINDEX = EXINDEX + EXRUNLENGTH;
CUREXFLAG = !CUREXFLAG;
}
+ if (num_ex_syms > SDNUMEXSYMS) {
+ FX_Free(EXFLAGS);
+ goto failed;
+ }
+
I = J = 0;
for (I = 0; I < SDNUMINSYMS + SDNUMNEWSYMS; I++) {
if (EXFLAGS[I] && J < SDNUMEXSYMS) {