From 28cad1534619d55820593baed0b6d6f3cbf767eb Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Wed, 2 May 2018 14:33:54 +0000 Subject: Make several Huffman decoders consistently check for integer overflows. BUG=chromium:837972 Change-Id: I6cfa28bff38870419e4b1e2bced427cfcbf843cd Reviewed-on: https://pdfium-review.googlesource.com/31912 Commit-Queue: Ryan Harrison Reviewed-by: Ryan Harrison --- core/fxcodec/jbig2/JBig2_Context.cpp | 14 +++++++++----- core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp | 10 ++++++++-- core/fxcodec/jbig2/JBig2_TrdProc.cpp | 14 +++++++------- 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp index 1763144b49..b753380aa2 100644 --- a/core/fxcodec/jbig2/JBig2_Context.cpp +++ b/core/fxcodec/jbig2/JBig2_Context.cpp @@ -23,6 +23,7 @@ #include "core/fxcodec/jbig2/JBig2_PddProc.h" #include "core/fxcodec/jbig2/JBig2_SddProc.h" #include "core/fxcodec/jbig2/JBig2_TrdProc.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxcrt/pauseindicator_iface.h" #include "third_party/base/ptr_util.h" @@ -1269,17 +1270,20 @@ std::vector CJBig2_Context::DecodeSymbolIDHuffmanTable( int32_t i = 0; while (i < static_cast(SBNUMSYMS)) { size_t j; - int32_t nVal = 0; + FX_SAFE_INT32 nSafeVal = 0; int32_t nBits = 0; uint32_t nTemp; while (true) { - if (nVal > std::numeric_limits::max() / 2 || - m_pStream->read1Bit(&nTemp) != 0) { + if (m_pStream->read1Bit(&nTemp) != 0) + return std::vector(); + + nSafeVal <<= 1; + if (!nSafeVal.IsValid()) return std::vector(); - } - nVal = (nVal << 1) | nTemp; + nSafeVal |= nTemp; ++nBits; + const int32_t nVal = nSafeVal.ValueOrDie(); for (j = 0; j < kRunCodesSize; ++j) { if (nBits == huffman_codes[j].codelen && nVal == huffman_codes[j].code) break; diff --git a/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp b/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp index cdb6fbe752..7f250a5d08 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanDecoder.cpp @@ -7,6 +7,7 @@ #include "core/fxcodec/jbig2/JBig2_HuffmanDecoder.h" #include "core/fxcodec/jbig2/JBig2_Define.h" +#include "core/fxcrt/fx_safe_types.h" CJBig2_HuffmanDecoder::CJBig2_HuffmanDecoder(CJBig2_BitStream* pStream) : m_pStream(pStream) {} @@ -15,15 +16,20 @@ CJBig2_HuffmanDecoder::~CJBig2_HuffmanDecoder() {} int CJBig2_HuffmanDecoder::DecodeAValue(CJBig2_HuffmanTable* pTable, int* nResult) { - int nVal = 0; + FX_SAFE_INT32 nSafeVal = 0; int nBits = 0; while (1) { uint32_t nTmp; if (m_pStream->read1Bit(&nTmp) == -1) break; - nVal = (nVal << 1) | nTmp; + nSafeVal <<= 1; + if (!nSafeVal.IsValid()) + break; + + nSafeVal |= nTmp; ++nBits; + const int32_t nVal = nSafeVal.ValueOrDie(); for (uint32_t i = 0; i < pTable->Size(); ++i) { const JBig2HuffmanCode& code = pTable->GetCODES()[i]; if (code.codelen != nBits || code.code != nVal) diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index b59f63bab4..ff94309bc4 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -12,6 +12,7 @@ #include "core/fxcodec/jbig2/JBig2_ArithIntDecoder.h" #include "core/fxcodec/jbig2/JBig2_GrrdProc.h" #include "core/fxcodec/jbig2/JBig2_HuffmanDecoder.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxcrt/maybe_owned.h" #include "third_party/base/ptr_util.h" @@ -81,7 +82,7 @@ std::unique_ptr CJBig2_TRDProc::DecodeHuffman( return nullptr; int32_t TI = SAFE_TI.ValueOrDie(); - pdfium::base::CheckedNumeric nVal = 0; + FX_SAFE_INT32 nSafeVal = 0; int32_t nBits = 0; uint32_t IDI; for (;;) { @@ -89,17 +90,16 @@ std::unique_ptr CJBig2_TRDProc::DecodeHuffman( if (pStream->read1Bit(&nTmp) != 0) return nullptr; - nVal <<= 1; - if (!nVal.IsValid()) + nSafeVal <<= 1; + if (!nSafeVal.IsValid()) return nullptr; - nVal |= nTmp; + nSafeVal |= nTmp; ++nBits; + const int32_t nVal = nSafeVal.ValueOrDie(); for (IDI = 0; IDI < SBNUMSYMS; ++IDI) { - if ((nBits == SBSYMCODES[IDI].codelen) && - (nVal.ValueOrDie() == SBSYMCODES[IDI].code)) { + if (nBits == SBSYMCODES[IDI].codelen && nVal == SBSYMCODES[IDI].code) break; - } } if (IDI < SBNUMSYMS) break; -- cgit v1.2.3