From f761a3aa4a001736249e1d7c3dce3b9dc8436a8d Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Wed, 29 Mar 2017 16:04:37 -0400 Subject: Fix undefined shift in JBig2_SddProc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: chromium:655535 Change-Id: I114a9447a9af107e6056e6056e7514ba789e282b Reviewed-on: https://pdfium-review.googlesource.com/3294 Commit-Queue: Nicolás Peña Commit-Queue: dsinclair Reviewed-by: dsinclair --- core/fxcodec/jbig2/JBig2_SddProc.cpp | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/core/fxcodec/jbig2/JBig2_SddProc.cpp b/core/fxcodec/jbig2/JBig2_SddProc.cpp index bca2aef716..cf23884848 100644 --- a/core/fxcodec/jbig2/JBig2_SddProc.cpp +++ b/core/fxcodec/jbig2/JBig2_SddProc.cpp @@ -301,7 +301,7 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Huffman( uint32_t EXINDEX; bool CUREXFLAG; uint32_t EXRUNLENGTH; - int32_t nVal, nBits; + int32_t nVal; uint32_t nTmp; uint32_t SBNUMSYMS; uint8_t SBSYMCODELEN; @@ -439,30 +439,19 @@ CJBig2_SymbolDict* CJBig2_SDDProc::decode_Huffman( nTmp++; } SBSYMCODELEN = (uint8_t)nTmp; - SBSYMCODES = FX_Alloc(JBig2HuffmanCode, SBNUMSYMS); - for (I = 0; I < SBNUMSYMS; I++) { - SBSYMCODES[I].codelen = SBSYMCODELEN; - SBSYMCODES[I].code = I; - } nVal = 0; - nBits = 0; for (;;) { - if (pStream->read1Bit(&nTmp) != 0) { - FX_Free(SBSYMCODES); + if (pStream->read1Bit(&nTmp) != 0) goto failed; - } + nVal = (nVal << 1) | nTmp; - for (IDI = 0; IDI < SBNUMSYMS; IDI++) { - if ((nVal == SBSYMCODES[IDI].code) && - (nBits == SBSYMCODES[IDI].codelen)) { - break; - } - } - if (IDI < SBNUMSYMS) { + if (nVal < 0 || static_cast(nVal) >= SBNUMSYMS) + goto failed; + + IDI = SBSYMCODELEN == 0 ? nVal : SBNUMSYMS; + if (IDI < SBNUMSYMS) break; - } } - FX_Free(SBSYMCODES); auto SBHUFFRDX = pdfium::MakeUnique( HuffmanTable_B15, HuffmanTable_B15_Size, HuffmanTable_HTOOB_B15); auto SBHUFFRSIZE = pdfium::MakeUnique( -- cgit v1.2.3