From 96e65ae3a3a328022f025805e9db02cbed1b5607 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Mon, 10 Apr 2017 17:32:01 -0400
Subject: Guard against negative shift in nVal calculation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's possible for the nVal to become negative as it is shifted. This Cl
changes nVal to be a checked_numeric and bails out if the shift is invalid.

Bug: chromium:708504
Change-Id: Ia2ebbc828ece7f7d443432542784b39defe6a897
Reviewed-on: https://pdfium-review.googlesource.com/4010
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
---
 core/fxcodec/jbig2/JBig2_TrdProc.cpp | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index cf58d9c3c6..f681e05569 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -69,7 +69,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
         CURT = nVal;
       }
       int32_t TI = STRIPT + CURT;
-      int32_t nVal = 0;
+      pdfium::base::CheckedNumeric<int32_t> nVal = 0;
       int32_t nBits = 0;
       uint32_t IDI;
       for (;;) {
@@ -77,11 +77,15 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
         if (pStream->read1Bit(&nTmp) != 0)
           return nullptr;
 
-        nVal = (nVal << 1) | nTmp;
+        nVal <<= 1;
+        if (!nVal.IsValid())
+          return nullptr;
+
+        nVal |= nTmp;
         nBits++;
         for (IDI = 0; IDI < SBNUMSYMS; IDI++) {
           if ((nBits == SBSYMCODES[IDI].codelen) &&
-              (nVal == SBSYMCODES[IDI].code)) {
+              (nVal.ValueOrDie() == SBSYMCODES[IDI].code)) {
             break;
           }
         }
@@ -101,11 +105,12 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
         int32_t RDHI;
         int32_t RDXI;
         int32_t RDYI;
+        int32_t HUFFRSIZE;
         if ((pHuffmanDecoder->decodeAValue(SBHUFFRDW, &RDWI) != 0) ||
             (pHuffmanDecoder->decodeAValue(SBHUFFRDH, &RDHI) != 0) ||
             (pHuffmanDecoder->decodeAValue(SBHUFFRDX, &RDXI) != 0) ||
             (pHuffmanDecoder->decodeAValue(SBHUFFRDY, &RDYI) != 0) ||
-            (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &nVal) != 0)) {
+            (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &HUFFRSIZE) != 0)) {
           return nullptr;
         }
         pStream->alignByte();
@@ -141,7 +146,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream,
 
         pStream->alignByte();
         pStream->offset(2);
-        if ((uint32_t)nVal != (pStream->getOffset() - nTmp)) {
+        if (static_cast<uint32_t>(HUFFRSIZE) != (pStream->getOffset() - nTmp)) {
           delete IBI;
           return nullptr;
         }
-- 
cgit v1.2.3