From bc4b82ea7a9c6603c6a1c89e00f4e6381c1b6804 Mon Sep 17 00:00:00 2001
From: JUN FANG <jun_fang@foxitsoftware.com>
Date: Thu, 21 May 2015 09:56:11 -0700
Subject: Fix an endless loop in CJBig2_HuffmanTable::parseFromCodedBuffer

This issue is trigged by the conversion from unsigned int to signed int.
A large unsigned int is converted to int. It's represented as a negative
int which is used in the condition of while later.

BUG=482639
R=brucedawson@chromium.org

Review URL: https://codereview.chromium.org/1146913003
---
 core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 0a5bc8e645..0616123c1e 100644
--- a/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -103,10 +103,10 @@ int CJBig2_HuffmanTable::parseFromStandardTable(const JBig2TableLine *pTable, in
 int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream)
 {
     unsigned char HTPS, HTRS;
-    int HTLOW, HTHIGH;
-    int CURRANGELOW;
-    int nSize = 16;
-    int CURLEN, LENMAX, CURCODE, CURTEMP, i;
+    FX_DWORD HTLOW, HTHIGH;
+    FX_DWORD CURRANGELOW;
+    FX_DWORD nSize = 16;
+    int CURLEN, LENMAX, CURCODE, CURTEMP;
     int *LENCOUNT;
     int *FIRSTCODE;
     unsigned char cTemp;
@@ -116,8 +116,9 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream)
     HTOOB = cTemp & 0x01;
     HTPS  = ((cTemp >> 1) & 0x07) + 1;
     HTRS  = ((cTemp >> 4) & 0x07) + 1;
-    if(pStream->readInteger((FX_DWORD*)&HTLOW) == -1 ||
-            pStream->readInteger((FX_DWORD*)&HTHIGH) == -1) {
+    if(pStream->readInteger(&HTLOW) == -1  ||
+       pStream->readInteger(&HTHIGH) == -1 ||
+       HTLOW > HTHIGH) {
         goto failed;
     }
     PREFLEN  = (int*)m_pModule->JBig2_Malloc2(sizeof(int), nSize);
@@ -127,8 +128,8 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream)
     NTEMP = 0;
     do {
         HT_CHECK_MEMORY_ADJUST
-        if((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1)
-                || (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) {
+        if((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) ||
+           (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) {
             goto failed;
         }
         RANGELOW[NTEMP] = CURRANGELOW;
@@ -158,7 +159,7 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream)
     }
     CODES = (int*)m_pModule->JBig2_Malloc2(sizeof(int), NTEMP);
     LENMAX = 0;
-    for(i = 0; i < NTEMP; i++) {
+    for(int i = 0; i < NTEMP; i++) {
         if(PREFLEN[i] > LENMAX) {
             LENMAX = PREFLEN[i];
         }
@@ -166,7 +167,7 @@ int CJBig2_HuffmanTable::parseFromCodedBuffer(CJBig2_BitStream *pStream)
     LENCOUNT = (int*)m_pModule->JBig2_Malloc2(sizeof(int), (LENMAX + 1));
     JBIG2_memset(LENCOUNT, 0, sizeof(int) * (LENMAX + 1));
     FIRSTCODE = (int*)m_pModule->JBig2_Malloc2(sizeof(int), (LENMAX + 1));
-    for(i = 0; i < NTEMP; i++) {
+    for(int i = 0; i < NTEMP; i++) {
         LENCOUNT[PREFLEN[i]] ++;
     }
     CURLEN = 1;
-- 
cgit v1.2.3