From 587ec1975017ecbf13c1c3faf64c1008a95846f2 Mon Sep 17 00:00:00 2001
From: kcwu <kcwu@chromium.org>
Date: Thu, 6 Oct 2016 12:29:13 -0700
Subject: Reject JBig2 Huffman table with too large shift value

BUG=chromium:653044

Review-Url: https://codereview.chromium.org/2397783002
---
 core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 3b34018c2d..26f0e52310 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -64,7 +64,8 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
   int cur_low = low;
   do {
     if ((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) ||
-        (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) {
+        (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1) ||
+        (static_cast<size_t>(RANGELEN[NTEMP]) >= 8 * sizeof(cur_low))) {
       return false;
     }
     RANGELOW[NTEMP] = cur_low;
-- 
cgit v1.2.3