From c6c71f1062aa8b22d432af5cbbfddf038a6d2d3f Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Mon, 10 Apr 2017 16:14:05 -0400
Subject: Use checked_numeric to guard shift
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's possible for the RANGELEN[NTEMP] value to be larger then 32. This
will make the shift invalid if the 1 is an int. This CL changes to 1L
and uses the CheckedNumeric to validate that the result is inside the
needed range for an int.

Bug: chromium:708439
Change-Id: I1f0359985c2d7769367bd0edcf5e081f5bb58816
Reviewed-on: https://pdfium-review.googlesource.com/3991
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
---
 core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 3bb6ae620c..a4998e99cf 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -70,6 +70,10 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
       return false;
     }
     RANGELOW[NTEMP] = cur_low.ValueOrDie();
+
+    if (RANGELEN[NTEMP] >= 32)
+      return false;
+
     cur_low += (1 << RANGELEN[NTEMP]);
     if (!cur_low.IsValid())
       return false;
-- 
cgit v1.2.3