From 96e65ae3a3a328022f025805e9db02cbed1b5607 Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Mon, 10 Apr 2017 17:32:01 -0400 Subject: Guard against negative shift in nVal calculation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's possible for the nVal to become negative as it is shifted. This Cl changes nVal to be a checked_numeric and bails out if the shift is invalid. Bug: chromium:708504 Change-Id: Ia2ebbc828ece7f7d443432542784b39defe6a897 Reviewed-on: https://pdfium-review.googlesource.com/4010 Commit-Queue: dsinclair Reviewed-by: Nicolás Peña --- core/fxcodec/jbig2/JBig2_TrdProc.cpp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp index cf58d9c3c6..f681e05569 100644 --- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp @@ -69,7 +69,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, CURT = nVal; } int32_t TI = STRIPT + CURT; - int32_t nVal = 0; + pdfium::base::CheckedNumeric nVal = 0; int32_t nBits = 0; uint32_t IDI; for (;;) { @@ -77,11 +77,15 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, if (pStream->read1Bit(&nTmp) != 0) return nullptr; - nVal = (nVal << 1) | nTmp; + nVal <<= 1; + if (!nVal.IsValid()) + return nullptr; + + nVal |= nTmp; nBits++; for (IDI = 0; IDI < SBNUMSYMS; IDI++) { if ((nBits == SBSYMCODES[IDI].codelen) && - (nVal == SBSYMCODES[IDI].code)) { + (nVal.ValueOrDie() == SBSYMCODES[IDI].code)) { break; } } @@ -101,11 +105,12 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, int32_t RDHI; int32_t RDXI; int32_t RDYI; + int32_t HUFFRSIZE; if ((pHuffmanDecoder->decodeAValue(SBHUFFRDW, &RDWI) != 0) || (pHuffmanDecoder->decodeAValue(SBHUFFRDH, &RDHI) != 0) || (pHuffmanDecoder->decodeAValue(SBHUFFRDX, &RDXI) != 0) || (pHuffmanDecoder->decodeAValue(SBHUFFRDY, &RDYI) != 0) || - (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &nVal) != 0)) { + (pHuffmanDecoder->decodeAValue(SBHUFFRSIZE, &HUFFRSIZE) != 0)) { return nullptr; } pStream->alignByte(); @@ -141,7 +146,7 @@ CJBig2_Image* CJBig2_TRDProc::decode_Huffman(CJBig2_BitStream* pStream, pStream->alignByte(); pStream->offset(2); - if ((uint32_t)nVal != (pStream->getOffset() - nTmp)) { + if (static_cast(HUFFRSIZE) != (pStream->getOffset() - nTmp)) { delete IBI; return nullptr; } -- cgit v1.2.3