From 96169fc007f271412ffa7bf2ebd3cf3fc04f71a5 Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Mon, 27 Mar 2017 14:06:51 -0400 Subject: Verify available bits in bit stream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The methods to read n bits from the huffman stream are not correctly checking that the bits are available. This means, we'll end up reading 0 bits due to the checks below and pretend like the read worked. This Cl adds the check that we are not at the end of the bit buffer before attempting the bit read. Bug: chromium:672176 Change-Id: I206f2d54da31c344cf649ca024644d1cce762fe7 Reviewed-on: https://pdfium-review.googlesource.com/3231 Reviewed-by: Nicolás Peña Commit-Queue: dsinclair --- core/fxcodec/jbig2/JBig2_BitStream.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/fxcodec/jbig2/JBig2_BitStream.cpp b/core/fxcodec/jbig2/JBig2_BitStream.cpp index dc4beabc4b..3346521aca 100644 --- a/core/fxcodec/jbig2/JBig2_BitStream.cpp +++ b/core/fxcodec/jbig2/JBig2_BitStream.cpp @@ -27,6 +27,9 @@ CJBig2_BitStream::CJBig2_BitStream(CPDF_StreamAcc* pSrcStream) CJBig2_BitStream::~CJBig2_BitStream() {} int32_t CJBig2_BitStream::readNBits(uint32_t dwBits, uint32_t* dwResult) { + if (!IsInBound()) + return -1; + uint32_t dwBitPos = getBitPos(); if (dwBitPos > LengthInBits()) return -1; @@ -46,6 +49,9 @@ int32_t CJBig2_BitStream::readNBits(uint32_t dwBits, uint32_t* dwResult) { } int32_t CJBig2_BitStream::readNBits(uint32_t dwBits, int32_t* nResult) { + if (!IsInBound()) + return -1; + uint32_t dwBitPos = getBitPos(); if (dwBitPos > LengthInBits()) return -1; -- cgit v1.2.3