From c6c71f1062aa8b22d432af5cbbfddf038a6d2d3f Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Mon, 10 Apr 2017 16:14:05 -0400 Subject: Use checked_numeric to guard shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's possible for the RANGELEN[NTEMP] value to be larger then 32. This will make the shift invalid if the 1 is an int. This CL changes to 1L and uses the CheckedNumeric to validate that the result is inside the needed range for an int. Bug: chromium:708439 Change-Id: I1f0359985c2d7769367bd0edcf5e081f5bb58816 Reviewed-on: https://pdfium-review.googlesource.com/3991 Commit-Queue: dsinclair Reviewed-by: Nicolás Peña --- core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp index 3bb6ae620c..a4998e99cf 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -70,6 +70,10 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) { return false; } RANGELOW[NTEMP] = cur_low.ValueOrDie(); + + if (RANGELEN[NTEMP] >= 32) + return false; + cur_low += (1 << RANGELEN[NTEMP]); if (!cur_low.IsValid()) return false; -- cgit v1.2.3