From 7055dffad92bd7be7cdb20ed12d5cc5890177e7a Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Wed, 8 Nov 2017 17:39:12 +0000 Subject: Prevent cyclic offset on CJBig2_Context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This CL changes the type of |m_dwOffset| to safe unsigned integer to prevent the offset from cycling from MAX_UINT32 back to 0. Bug: chromium:778912 Change-Id: Ib93a8392e52eecf2cc223438ac85e9dc529b0f43 Reviewed-on: https://pdfium-review.googlesource.com/18130 Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña Moreno --- core/fxcodec/jbig2/JBig2_Context.cpp | 5 ++++- core/fxcodec/jbig2/JBig2_Context.h | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp index 53e6b7a84a..6985c0e927 100644 --- a/core/fxcodec/jbig2/JBig2_Context.cpp +++ b/core/fxcodec/jbig2/JBig2_Context.cpp @@ -101,7 +101,10 @@ int32_t CJBig2_Context::decode_SquentialOrgnazation( } if (m_pSegment->m_dwData_length != 0xffffffff) { m_dwOffset += m_pSegment->m_dwData_length; - m_pStream->setOffset(m_dwOffset); + if (!m_dwOffset.IsValid()) + return JBIG2_ERROR_FATAL; + + m_pStream->setOffset(m_dwOffset.ValueOrDie()); } else { m_pStream->offset(4); } diff --git a/core/fxcodec/jbig2/JBig2_Context.h b/core/fxcodec/jbig2/JBig2_Context.h index 314db9083a..749ec901f4 100644 --- a/core/fxcodec/jbig2/JBig2_Context.h +++ b/core/fxcodec/jbig2/JBig2_Context.h @@ -16,6 +16,7 @@ #include "core/fxcodec/fx_codec_def.h" #include "core/fxcodec/jbig2/JBig2_Page.h" #include "core/fxcodec/jbig2/JBig2_Segment.h" +#include "core/fxcrt/fx_safe_types.h" class CJBig2_ArithDecoder; class CJBig2_GRDProc; @@ -101,7 +102,7 @@ class CJBig2_Context { std::unique_ptr m_pArithDecoder; std::unique_ptr m_pGRD; std::unique_ptr m_pSegment; - uint32_t m_dwOffset; + FX_SAFE_UINT32 m_dwOffset; JBig2RegionInfo m_ri; std::list* const m_pSymbolDictCache; bool m_bIsGlobal; -- cgit v1.2.3