From 0562ff4f6e2ec555212d90f2f5b1751d5d576107 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Wed, 1 Aug 2018 19:27:11 +0000 Subject: Bounds check lineSrc in JBig2_Image.cpp. No matter how the dimensions might be determined, we know the hard end of the source line, and can use it for a bounds check. We expect the size is quantized to a multiple of m_stride, so as long as each block operates within an m_stride, the initial check should be sufficient. Bug: 867501 Change-Id: Iaf9936557b856f3eb09fef522f3e6738aa4f38f0 Reviewed-on: https://pdfium-review.googlesource.com/39310 Reviewed-by: Lei Zhang Commit-Queue: Tom Sepez --- core/fxcodec/jbig2/JBig2_Image.cpp | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'core/fxcodec/jbig2/JBig2_Image.cpp') diff --git a/core/fxcodec/jbig2/JBig2_Image.cpp b/core/fxcodec/jbig2/JBig2_Image.cpp index 442a36d2a6..59f65c6f4d 100644 --- a/core/fxcodec/jbig2/JBig2_Image.cpp +++ b/core/fxcodec/jbig2/JBig2_Image.cpp @@ -705,8 +705,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, int32_t maskL = 0xffffffff >> d1; int32_t maskR = 0xffffffff << ((32 - (xd1 & 31)) % 32); int32_t maskM = maskL & maskR; - uint8_t* lineSrc = + const uint8_t* lineSrc = data() + (rtSrc.top + ys0) * m_nStride + (((xs0 + rtSrc.left) >> 5) << 2); + const uint8_t* lineSrcEnd = data() + m_nHeight * m_nStride; int32_t lineLeft = m_nStride - ((xs0 >> 5) << 2); uint8_t* lineDst = pDst->data() + yd0 * pDst->m_nStride + ((xd0 >> 5) << 2); if ((xd0 & ~31) == ((xd1 - 1) & ~31)) { @@ -714,6 +715,8 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, if (s1 > d1) { uint32_t shift = s1 - d1; for (int32_t yy = yd0; yy < yd1; yy++) { + if (lineSrc >= lineSrcEnd) + return false; uint32_t tmp1 = JBIG2_GETDWORD(lineSrc) << shift; uint32_t tmp2 = JBIG2_GETDWORD(lineDst); uint32_t tmp = 0; @@ -744,6 +747,8 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, } else { uint32_t shift = d1 - s1; for (int32_t yy = yd0; yy < yd1; yy++) { + if (lineSrc >= lineSrcEnd) + return false; uint32_t tmp1 = JBIG2_GETDWORD(lineSrc) >> shift; uint32_t tmp2 = JBIG2_GETDWORD(lineDst); uint32_t tmp = 0; @@ -776,6 +781,8 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, uint32_t shift1 = s1 - d1; uint32_t shift2 = 32 - shift1; for (int32_t yy = yd0; yy < yd1; yy++) { + if (lineSrc >= lineSrcEnd) + return false; uint32_t tmp1 = (JBIG2_GETDWORD(lineSrc) << shift1) | (JBIG2_GETDWORD(lineSrc + 4) >> shift2); uint32_t tmp2 = JBIG2_GETDWORD(lineDst); @@ -811,7 +818,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, uint32_t shift2 = 32 - shift1; int32_t middleDwords = (xd1 >> 5) - ((xd0 + 31) >> 5); for (int32_t yy = yd0; yy < yd1; yy++) { - uint8_t* sp = lineSrc; + if (lineSrc >= lineSrcEnd) + return false; + const uint8_t* sp = lineSrc; uint8_t* dp = lineDst; if (d1 != 0) { uint32_t tmp1 = (JBIG2_GETDWORD(sp) << shift1) | @@ -906,7 +915,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, } else if (s1 == d1) { int32_t middleDwords = (xd1 >> 5) - ((xd0 + 31) >> 5); for (int32_t yy = yd0; yy < yd1; yy++) { - uint8_t* sp = lineSrc; + if (lineSrc >= lineSrcEnd) + return false; + const uint8_t* sp = lineSrc; uint8_t* dp = lineDst; if (d1 != 0) { uint32_t tmp1 = JBIG2_GETDWORD(sp); @@ -998,7 +1009,9 @@ bool CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image* pDst, uint32_t shift2 = 32 - shift1; int32_t middleDwords = (xd1 >> 5) - ((xd0 + 31) >> 5); for (int32_t yy = yd0; yy < yd1; yy++) { - uint8_t* sp = lineSrc; + if (lineSrc >= lineSrcEnd) + return false; + const uint8_t* sp = lineSrc; uint8_t* dp = lineDst; if (d1 != 0) { uint32_t tmp1 = JBIG2_GETDWORD(sp) >> shift1; -- cgit v1.2.3