From ace0c8cfa6ccc97e32e083b4d7ca9d026772c585 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Tue, 7 Aug 2018 17:55:39 +0000
Subject: Merge to M69: Bounds check lineSrc in JBig2_Image.cpp.

No matter how the dimensions might be determined, we know the
hard end of the source line, and can use it for a bounds check.
We expect the size is quantized to a multiple of m_stride, so
as long as each block operates within an m_stride, the initial
check should be sufficient.

TBR=thestig@chromium.org

Bug: 867501
Change-Id: Iaf9936557b856f3eb09fef522f3e6738aa4f38f0
Reviewed-on: https://pdfium-review.googlesource.com/39310
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit 0562ff4f6e2ec555212d90f2f5b1751d5d576107)
Reviewed-on: https://pdfium-review.googlesource.com/39570
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fxcodec/jbig2/JBig2_Image.cpp                 |  21 +++++++++++++++++----
 testing/resources/pixel/bug_867501.pdf             | Bin 0 -> 771 bytes
 .../resources/pixel/bug_867501_expected.pdf.0.png  | Bin 0 -> 1043 bytes
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 testing/resources/pixel/bug_867501.pdf
 create mode 100644 testing/resources/pixel/bug_867501_expected.pdf.0.png

diff --git a/core/fxcodec/jbig2/JBig2_Image.cpp b/core/fxcodec/jbig2/JBig2_Image.cpp
index 442a36d2a6..59f65c6f4d 100644
--- a/core/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/fxcodec/jbig2/JBig2_Image.cpp
@@ -705,8 +705,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
   int32_t maskL = 0xffffffff >> d1;
   int32_t maskR = 0xffffffff << ((32 - (xd1 & 31)) % 32);
   int32_t maskM = maskL & maskR;
-  uint8_t* lineSrc =
+  const uint8_t* lineSrc =
       data() + (rtSrc.top + ys0) * m_nStride + (((xs0 + rtSrc.left) >> 5) << 2);
+  const uint8_t* lineSrcEnd = data() + m_nHeight * m_nStride;
   int32_t lineLeft = m_nStride - ((xs0 >> 5) << 2);
   uint8_t* lineDst = pDst->data() + yd0 * pDst->m_nStride + ((xd0 >> 5) << 2);
   if ((xd0 & ~31) == ((xd1 - 1) & ~31)) {
@@ -714,6 +715,8 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
       if (s1 > d1) {
         uint32_t shift = s1 - d1;
         for (int32_t yy = yd0; yy < yd1; yy++) {
+          if (lineSrc >= lineSrcEnd)
+            return false;
           uint32_t tmp1 = JBIG2_GETDWORD(lineSrc) << shift;
           uint32_t tmp2 = JBIG2_GETDWORD(lineDst);
           uint32_t tmp = 0;
@@ -744,6 +747,8 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
       } else {
         uint32_t shift = d1 - s1;
         for (int32_t yy = yd0; yy < yd1; yy++) {
+          if (lineSrc >= lineSrcEnd)
+            return false;
           uint32_t tmp1 = JBIG2_GETDWORD(lineSrc) >> shift;
           uint32_t tmp2 = JBIG2_GETDWORD(lineDst);
           uint32_t tmp = 0;
@@ -776,6 +781,8 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
       uint32_t shift1 = s1 - d1;
       uint32_t shift2 = 32 - shift1;
       for (int32_t yy = yd0; yy < yd1; yy++) {
+        if (lineSrc >= lineSrcEnd)
+          return false;
         uint32_t tmp1 = (JBIG2_GETDWORD(lineSrc) << shift1) |
                         (JBIG2_GETDWORD(lineSrc + 4) >> shift2);
         uint32_t tmp2 = JBIG2_GETDWORD(lineDst);
@@ -811,7 +818,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
       uint32_t shift2 = 32 - shift1;
       int32_t middleDwords = (xd1 >> 5) - ((xd0 + 31) >> 5);
       for (int32_t yy = yd0; yy < yd1; yy++) {
-        uint8_t* sp = lineSrc;
+        if (lineSrc >= lineSrcEnd)
+          return false;
+        const uint8_t* sp = lineSrc;
         uint8_t* dp = lineDst;
         if (d1 != 0) {
           uint32_t tmp1 = (JBIG2_GETDWORD(sp) << shift1) |
@@ -906,7 +915,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
     } else if (s1 == d1) {
       int32_t middleDwords = (xd1 >> 5) - ((xd0 + 31) >> 5);
       for (int32_t yy = yd0; yy < yd1; yy++) {
-        uint8_t* sp = lineSrc;
+        if (lineSrc >= lineSrcEnd)
+          return false;
+        const uint8_t* sp = lineSrc;
         uint8_t* dp = lineDst;
         if (d1 != 0) {
           uint32_t tmp1 = JBIG2_GETDWORD(sp);
@@ -998,7 +1009,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst,
       uint32_t shift2 = 32 - shift1;
       int32_t middleDwords = (xd1 >> 5) - ((xd0 + 31) >> 5);
       for (int32_t yy = yd0; yy < yd1; yy++) {
-        uint8_t* sp = lineSrc;
+        if (lineSrc >= lineSrcEnd)
+          return false;
+        const uint8_t* sp = lineSrc;
         uint8_t* dp = lineDst;
         if (d1 != 0) {
           uint32_t tmp1 = JBIG2_GETDWORD(sp) >> shift1;
diff --git a/testing/resources/pixel/bug_867501.pdf b/testing/resources/pixel/bug_867501.pdf
new file mode 100644
index 0000000000..0b517b9c99
Binary files /dev/null and b/testing/resources/pixel/bug_867501.pdf differ
diff --git a/testing/resources/pixel/bug_867501_expected.pdf.0.png b/testing/resources/pixel/bug_867501_expected.pdf.0.png
new file mode 100644
index 0000000000..bd6f8c1cbb
Binary files /dev/null and b/testing/resources/pixel/bug_867501_expected.pdf.0.png differ
-- 
cgit v1.2.3