From 0e3635c59e79e8ca782412fa1bcf377c7c4f980e Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 27 Apr 2018 16:53:49 +0000
Subject: Sanitize another image size in CJBig2_Context::parseHalftoneRegion().

BUG=chromium:836872

Change-Id: I0362fd7708043648bffa26c9248b401ea2793a21
Reviewed-on: https://pdfium-review.googlesource.com/31510
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 core/fxcodec/jbig2/JBig2_Context.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 88c8cfa21c..c8095c8448 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -995,8 +995,10 @@ int32_t CJBig2_Context::parseHalftoneRegion(CJBig2_Segment* pSegment,
     return JBIG2_ERROR_TOO_SHORT;
   }
 
-  if (pHRD->HGW == 0 || pHRD->HGH == 0)
+  if (pHRD->HGW == 0 || pHRD->HGW > JBIG2_MAX_IMAGE_SIZE || pHRD->HGH == 0 ||
+      pHRD->HGH > JBIG2_MAX_IMAGE_SIZE) {
     return JBIG2_ERROR_FATAL;
+  }
 
   if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 ||
       ri.height > JBIG2_MAX_IMAGE_SIZE) {
-- 
cgit v1.2.3