From fee910e6f81fd199bfe4fd62ea538d1bc33056a8 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Thu, 30 Nov 2017 18:10:11 +0000
Subject: Prevent integer overflow in CJBig2_HuffmanTable::ParseFromCodedBuffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In this CL we prevent integer overflow by checking that the integers are
in the appropriate range before casting from unsigned to signed.

Bug: 789524
Change-Id: I41572849f18ffb0f0739c80130ee6b5061845d29
Reviewed-on: https://pdfium-review.googlesource.com/20011
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
---
 core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index a4998e99cf..1127f52a52 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -7,6 +7,7 @@
 #include "core/fxcodec/jbig2/JBig2_HuffmanTable.h"
 
 #include <algorithm>
+#include <limits>
 #include <vector>
 
 #include "core/fxcodec/jbig2/JBig2_BitStream.h"
@@ -52,7 +53,9 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) {
   uint32_t HTLOW;
   uint32_t HTHIGH;
   if (pStream->readInteger(&HTLOW) == -1 ||
-      pStream->readInteger(&HTHIGH) == -1) {
+      pStream->readInteger(&HTHIGH) == -1 ||
+      HTLOW > static_cast<uint32_t>(std::numeric_limits<int>::max()) ||
+      HTHIGH > static_cast<uint32_t>(std::numeric_limits<int>::max())) {
     return false;
   }
 
-- 
cgit v1.2.3