From 8975902470dbfc15289b69f41e43ad0433ca51ae Mon Sep 17 00:00:00 2001 From: dsinclair Date: Tue, 7 Jun 2016 09:48:39 -0700 Subject: Verify we have a CJBig2_Image before attempting use. In CJBig2_SDDProc::decode_Arith we will set a SDNEWSYMS value to nullptr if the height or width are 0. With the PDF from the bug, all of the decoders are set to nullptr. Then, we call into CJBig2_TRDProc::decode_Arith and pull out one of the nullptr decoders and attempt to use it, crashing. This CL adds a check that we have a non-null decoder before attempting to use the decoder. BUG=pdfium:511 Review-Url: https://codereview.chromium.org/2048683002 --- core/fxcodec/jbig2/JBig2_TrdProc.cpp | 7 +++++-- core/fxcodec/jbig2/JBig2_TrdProc.h | 1 - 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index 5b0ef19505..177db9dec9 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -324,11 +324,14 @@ CJBig2_Image* CJBig2_TRDProc::decode_Arith(CJBig2_ArithDecoder* pArithDecoder, pIARDX->decode(pArithDecoder, &RDXI); pIARDY->decode(pArithDecoder, &RDYI); CJBig2_Image* IBOI = SBSYMS[IDI]; + if (!IBOI) + return nullptr; + uint32_t WOI = IBOI->m_nWidth; uint32_t HOI = IBOI->m_nHeight; - if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0) { + if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0) return nullptr; - } + std::unique_ptr pGRRD(new CJBig2_GRRDProc()); pGRRD->GRW = WOI + RDWI; pGRRD->GRH = HOI + RDHI; diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.h b/core/fxcodec/jbig2/JBig2_TrdProc.h index fdad75fb6e..83e43ec05f 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.h +++ b/core/fxcodec/jbig2/JBig2_TrdProc.h @@ -47,7 +47,6 @@ class CJBig2_TRDProc { JBig2ArithCtx* grContext, JBig2IntDecoderState* pIDS); - public: FX_BOOL SBHUFF; FX_BOOL SBREFINE; uint32_t SBW; -- cgit v1.2.3