From 7f41d68152885d9b391fd9cc96d9754969b78369 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 27 Apr 2018 14:36:57 +0000
Subject: Sanitize the SBNUMINSTANCES value in the JBIG2 decoder.

BUG=chromium:837192

Change-Id: Ib9c0e7b4aeb6501e81308844d344a784f7c138d8
Reviewed-on: https://pdfium-review.googlesource.com/31490
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 core/fxcodec/jbig2/JBig2_Context.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 57bae1c617..88c8cfa21c 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -689,6 +689,16 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
   if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0)
     return JBIG2_ERROR_TOO_SHORT;
 
+  // Assume each instance takes at least 4 bits. That means for a stream of
+  // length N, there can be at most 2N instances. This is an extremely
+  // conservative estimate just to sanitize the |SBNUMINSTANCES| value.
+  // Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs
+  // have a maximum size of roughly 11 GB.
+  FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength();
+  nMaxStripInstances *= 2;
+  if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie())
+    return JBIG2_ERROR_FATAL;
+
   for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
     if (!findSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]))
       return JBIG2_ERROR_FATAL;
-- 
cgit v1.2.3