From 7f41d68152885d9b391fd9cc96d9754969b78369 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Fri, 27 Apr 2018 14:36:57 +0000 Subject: Sanitize the SBNUMINSTANCES value in the JBIG2 decoder. BUG=chromium:837192 Change-Id: Ib9c0e7b4aeb6501e81308844d344a784f7c138d8 Reviewed-on: https://pdfium-review.googlesource.com/31490 Commit-Queue: Ryan Harrison Reviewed-by: Ryan Harrison --- core/fxcodec/jbig2/JBig2_Context.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp index 57bae1c617..88c8cfa21c 100644 --- a/core/fxcodec/jbig2/JBig2_Context.cpp +++ b/core/fxcodec/jbig2/JBig2_Context.cpp @@ -689,6 +689,16 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) { if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0) return JBIG2_ERROR_TOO_SHORT; + // Assume each instance takes at least 4 bits. That means for a stream of + // length N, there can be at most 2N instances. This is an extremely + // conservative estimate just to sanitize the |SBNUMINSTANCES| value. + // Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs + // have a maximum size of roughly 11 GB. + FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength(); + nMaxStripInstances *= 2; + if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie()) + return JBIG2_ERROR_FATAL; + for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) { if (!findSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i])) return JBIG2_ERROR_FATAL; -- cgit v1.2.3