From abf60bae364d98f1b5056db4dad9af5f992fc33a Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Mon, 11 May 2015 13:56:06 -0700 Subject: Fix a heap overflow in CJBig2_Context::parseSymbolDict BUG=476107 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1080893002 (cherry picked from commit eddab4425614e49146f904f00da4a664ba4b581b) Review URL: https://codereview.chromium.org/1135133002 --- core/src/fxcodec/jbig2/JBig2_ArithDecoder.h | 4 ++++ core/src/fxcodec/jbig2/JBig2_ArithQe.h | 1 + core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp | 2 ++ 3 files changed, 7 insertions(+) diff --git a/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h b/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h index 214688d3b2..33bbe39d0d 100644 --- a/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h +++ b/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h @@ -72,6 +72,10 @@ inline void CJBig2_ArithDecoder::BYTEIN() } inline int CJBig2_ArithDecoder::DECODE(JBig2ArithCtx *pCX) { + if (!pCX || pCX->I >= JBIG2_QE_NUM) { + return 0; + } + int D; const JBig2ArithQe * qe = &QeTable[pCX->I]; A = A - qe->Qe; diff --git a/core/src/fxcodec/jbig2/JBig2_ArithQe.h b/core/src/fxcodec/jbig2/JBig2_ArithQe.h index 5405e425b0..8a723bead0 100644 --- a/core/src/fxcodec/jbig2/JBig2_ArithQe.h +++ b/core/src/fxcodec/jbig2/JBig2_ArithQe.h @@ -13,4 +13,5 @@ typedef struct { unsigned int nSwitch; } JBig2ArithQe; extern const JBig2ArithQe QeTable[]; +extern const unsigned int JBIG2_QE_NUM; #endif diff --git a/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp b/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp index 6179317890..53faab4a46 100644 --- a/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp +++ b/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp @@ -61,6 +61,8 @@ extern const JBig2ArithQe QeTable[] = { { 0x5601, 46, 46, 0 } }; +extern const unsigned int JBIG2_QE_NUM = sizeof(QeTable) / sizeof(JBig2ArithQe); + CJBig2_Image *CJBig2_GRDProc::decode_Arith(CJBig2_ArithDecoder *pArithDecoder, JBig2ArithCtx *gbContext) { if (GBW == 0 || GBH == 0) { -- cgit v1.2.3