From 20c8a9a66ea710b96493c9048fb65753e68b48fc Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 18 Dec 2015 16:04:51 -0800
Subject: Fix the JBIG2 decoding regressions from commit bc4b82e and 8a9ce57.

BUG=566063
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1534323002 .
---
 core/src/fxcodec/jbig2/JBig2_Context.cpp      | 24 ++++++++++++------------
 core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 19 ++++++++++++-------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/core/src/fxcodec/jbig2/JBig2_Context.cpp b/core/src/fxcodec/jbig2/JBig2_Context.cpp
index d0f6995e3d..1cc8fbde24 100644
--- a/core/src/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Context.cpp
@@ -516,7 +516,7 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
       pSymbolDictDecoder->SDHUFFDH = Table_B5.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pSymbolDictDecoder->SDHUFFDH = pSeg->m_Result.ht;
@@ -533,7 +533,7 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
       pSymbolDictDecoder->SDHUFFDW = Table_B3.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pSymbolDictDecoder->SDHUFFDW = pSeg->m_Result.ht;
@@ -545,7 +545,7 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
       pSymbolDictDecoder->SDHUFFBMSIZE = Table_B1.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pSymbolDictDecoder->SDHUFFBMSIZE = pSeg->m_Result.ht;
@@ -560,7 +560,7 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
         pSymbolDictDecoder->SDHUFFAGGINST = Table_B1.get();
       } else {
         CJBig2_Segment* pSeg =
-            findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+            findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
         if (!pSeg)
           return JBIG2_ERROR_FATAL;
         pSymbolDictDecoder->SDHUFFAGGINST = pSeg->m_Result.ht;
@@ -782,7 +782,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFFS = Table_B7.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFFS = pSeg->m_Result.ht;
@@ -804,7 +804,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFDS = Table_B10.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFDS = pSeg->m_Result.ht;
@@ -826,7 +826,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFDT = Table_B13.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFDT = pSeg->m_Result.ht;
@@ -843,7 +843,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFRDW = Table_B15.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFRDW = pSeg->m_Result.ht;
@@ -864,7 +864,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFRDH = Table_B15.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFRDH = pSeg->m_Result.ht;
@@ -885,7 +885,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFRDX = Table_B15.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFRDX = pSeg->m_Result.ht;
@@ -906,7 +906,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFRDY = Table_B15.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFRDY = pSeg->m_Result.ht;
@@ -918,7 +918,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
       pTRD->SBHUFFRSIZE = Table_B1.get();
     } else {
       CJBig2_Segment* pSeg =
-          findReferredSegmentByTypeAndIndex(pSegment, 53, ++nIndex);
+          findReferredSegmentByTypeAndIndex(pSegment, 53, nIndex++);
       if (!pSeg)
         return JBIG2_ERROR_FATAL;
       pTRD->SBHUFFRSIZE = pSeg->m_Result.ht;
diff --git a/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 6b6f16109b..8aaebf46a2 100644
--- a/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -103,15 +103,20 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream* pStream) {
   FX_DWORD HTLOW;
   FX_DWORD HTHIGH;
   if (pStream->readInteger(&HTLOW) == -1 ||
-      pStream->readInteger(&HTHIGH) == -1 || HTLOW > HTHIGH) {
+      pStream->readInteger(&HTHIGH) == -1) {
     return FALSE;
   }
 
+  const int low = static_cast<int>(HTLOW);
+  const int high = static_cast<int>(HTHIGH);
+  if (low > high)
+    return false;
+
   FX_DWORD nSize = 16;
   PREFLEN = FX_Alloc(int, nSize);
   RANGELEN = FX_Alloc(int, nSize);
   RANGELOW = FX_Alloc(int, nSize);
-  FX_DWORD CURRANGELOW = HTLOW;
+  int cur_low = low;
   NTEMP = 0;
   do {
     HT_CHECK_MEMORY_ADJUST
@@ -119,23 +124,23 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream* pStream) {
         (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) {
       return FALSE;
     }
-    RANGELOW[NTEMP] = CURRANGELOW;
-    CURRANGELOW = CURRANGELOW + (1 << RANGELEN[NTEMP]);
+    RANGELOW[NTEMP] = cur_low;
+    cur_low += (1 << RANGELEN[NTEMP]);
     NTEMP = NTEMP + 1;
-  } while (CURRANGELOW < HTHIGH);
+  } while (cur_low < high);
   HT_CHECK_MEMORY_ADJUST
   if (pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1)
     return FALSE;
 
   RANGELEN[NTEMP] = 32;
-  RANGELOW[NTEMP] = HTLOW - 1;
+  RANGELOW[NTEMP] = low - 1;
   ++NTEMP;
   HT_CHECK_MEMORY_ADJUST
   if (pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1)
     return FALSE;
 
   RANGELEN[NTEMP] = 32;
-  RANGELOW[NTEMP] = HTHIGH;
+  RANGELOW[NTEMP] = high;
   NTEMP = NTEMP + 1;
   if (HTOOB) {
     HT_CHECK_MEMORY_ADJUST
-- 
cgit v1.2.3