From 0294f3d06517265a3b63ec3238b32f77d92a71bf Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 12 Feb 2018 22:48:25 +0000
Subject: Fix signedness in CJBig2_HuffmanTable, and add overflow check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: 808902
Change-Id: Iad5ab63eeedc3ea85001337ba73626178c71f8b8
Reviewed-on: https://pdfium-review.googlesource.com/26470
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
---
 core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 1127f52a52..83f9fed010 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -53,9 +53,7 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
   uint32_t HTLOW;
   uint32_t HTHIGH;
   if (pStream->readInteger(&HTLOW) == -1 ||
-      pStream->readInteger(&HTHIGH) == -1 ||
-      HTLOW > static_cast<uint32_t>(std::numeric_limits<int>::max()) ||
-      HTHIGH > static_cast<uint32_t>(std::numeric_limits<int>::max())) {
+      pStream->readInteger(&HTHIGH) == -1) {
     return false;
   }
 
@@ -87,6 +85,9 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
     return false;
 
   RANGELEN[NTEMP] = 32;
+  if (low == std::numeric_limits<int>::min())
+    return false;
+
   RANGELOW[NTEMP] = low - 1;
   ExtendBuffers(true);
 
-- 
cgit v1.2.3