From 956cb632e00558d20ccf756ebc286bce2674e774 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Mon, 30 Oct 2017 19:30:52 +0000 Subject: More safe ints in CJBig2_TRDProc Bug: chromium:778961 Change-Id: I1d08b3282304931276c24e50392c10b21780dcde Reviewed-on: https://pdfium-review.googlesource.com/16971 Commit-Queue: dsinclair Reviewed-by: Tom Sepez Reviewed-by: dsinclair --- core/fxcodec/jbig2/JBig2_TrdProc.cpp | 41 ++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index 2724d1de49..f033c9bfea 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -25,10 +25,11 @@ std::unique_ptr CJBig2_TRDProc::decode_Huffman( auto pHuffmanDecoder = pdfium::MakeUnique(pStream); auto SBREG = pdfium::MakeUnique(SBW, SBH); SBREG->fill(SBDEFPIXEL); - int32_t STRIPT; - if (pHuffmanDecoder->decodeAValue(SBHUFFDT, &STRIPT) != 0) + int32_t INITIAL_STRIPT; + if (pHuffmanDecoder->decodeAValue(SBHUFFDT, &INITIAL_STRIPT) != 0) return nullptr; + FX_SAFE_INT32 STRIPT = INITIAL_STRIPT; STRIPT *= SBSTRIPS; STRIPT = -STRIPT; int32_t FIRSTS = 0; @@ -39,9 +40,9 @@ std::unique_ptr CJBig2_TRDProc::decode_Huffman( return nullptr; DT *= SBSTRIPS; - STRIPT = STRIPT + DT; + STRIPT += DT; bool bFirst = true; - int32_t CURS = 0; + FX_SAFE_INT32 CURS = 0; for (;;) { if (bFirst) { int32_t DFS; @@ -60,7 +61,8 @@ std::unique_ptr CJBig2_TRDProc::decode_Huffman( if (nVal != 0) return nullptr; - CURS = CURS + IDS + SBDSOFFSET; + CURS += IDS; + CURS += SBDSOFFSET; } uint8_t CURT = 0; if (SBSTRIPS != 1) { @@ -73,7 +75,11 @@ std::unique_ptr CJBig2_TRDProc::decode_Huffman( CURT = nVal; } - int32_t TI = STRIPT + CURT; + FX_SAFE_INT32 SAFE_TI = STRIPT + CURT; + if (!SAFE_TI.IsValid()) + return nullptr; + + int32_t TI = SAFE_TI.ValueOrDie(); pdfium::base::CheckedNumeric nVal = 0; int32_t nBits = 0; uint32_t IDI; @@ -160,12 +166,15 @@ std::unique_ptr CJBig2_TRDProc::decode_Huffman( uint32_t HI = IBI->height(); if (TRANSPOSED == 0 && ((REFCORNER == JBIG2_CORNER_TOPRIGHT) || (REFCORNER == JBIG2_CORNER_BOTTOMRIGHT))) { - CURS = CURS + WI - 1; + CURS += WI - 1; } else if (TRANSPOSED == 1 && ((REFCORNER == JBIG2_CORNER_BOTTOMLEFT) || (REFCORNER == JBIG2_CORNER_BOTTOMRIGHT))) { - CURS = CURS + HI - 1; + CURS += HI - 1; } - int32_t SI = CURS; + if (!CURS.IsValid()) + return nullptr; + + int32_t SI = CURS.ValueOrDie(); if (TRANSPOSED == 0) { switch (REFCORNER) { case JBIG2_CORNER_TOPLEFT: @@ -199,10 +208,10 @@ std::unique_ptr CJBig2_TRDProc::decode_Huffman( } if (TRANSPOSED == 0 && ((REFCORNER == JBIG2_CORNER_TOPLEFT) || (REFCORNER == JBIG2_CORNER_BOTTOMLEFT))) { - CURS = CURS + WI - 1; + CURS += WI - 1; } else if (TRANSPOSED == 1 && ((REFCORNER == JBIG2_CORNER_TOPLEFT) || (REFCORNER == JBIG2_CORNER_TOPRIGHT))) { - CURS = CURS + HI - 1; + CURS += HI - 1; } NINSTANCES = NINSTANCES + 1; } @@ -259,7 +268,7 @@ std::unique_ptr CJBig2_TRDProc::decode_Arith( int32_t FIRSTS = 0; uint32_t NINSTANCES = 0; while (NINSTANCES < SBNUMINSTANCES) { - int32_t CURS = 0; + FX_SAFE_INT32 CURS = 0; int32_t DT; if (!pIADT->decode(pArithDecoder, &DT)) return nullptr; @@ -279,7 +288,8 @@ std::unique_ptr CJBig2_TRDProc::decode_Arith( if (!pIADS->decode(pArithDecoder, &IDS)) break; - CURS += IDS + SBDSOFFSET; + CURS += IDS; + CURS += SBDSOFFSET; } if (NINSTANCES >= SBNUMINSTANCES) break; @@ -353,7 +363,10 @@ std::unique_ptr CJBig2_TRDProc::decode_Arith( (REFCORNER == JBIG2_CORNER_BOTTOMRIGHT))) { CURS += HI - 1; } - int32_t SI = CURS; + if (!CURS.IsValid()) + return nullptr; + + int32_t SI = CURS.ValueOrDie(); if (TRANSPOSED == 0) { switch (REFCORNER) { case JBIG2_CORNER_TOPLEFT: -- cgit v1.2.3