From 8975902470dbfc15289b69f41e43ad0433ca51ae Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 7 Jun 2016 09:48:39 -0700
Subject: Verify we have a CJBig2_Image before attempting use.

In CJBig2_SDDProc::decode_Arith we will set a SDNEWSYMS value to nullptr if the
height or width are 0. With the PDF from the bug, all of the decoders are set
to nullptr. Then, we call into CJBig2_TRDProc::decode_Arith and pull out
one of the nullptr decoders and attempt to use it, crashing.

This CL adds a check that we have a non-null decoder before attempting to use
the decoder.

BUG=pdfium:511

Review-Url: https://codereview.chromium.org/2048683002
---
 core/fxcodec/jbig2/JBig2_TrdProc.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'core/fxcodec/jbig2/JBig2_TrdProc.cpp')

diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index 5b0ef19505..177db9dec9 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -324,11 +324,14 @@ CJBig2_Image* CJBig2_TRDProc::decode_Arith(CJBig2_ArithDecoder* pArithDecoder,
         pIARDX->decode(pArithDecoder, &RDXI);
         pIARDY->decode(pArithDecoder, &RDYI);
         CJBig2_Image* IBOI = SBSYMS[IDI];
+        if (!IBOI)
+          return nullptr;
+
         uint32_t WOI = IBOI->m_nWidth;
         uint32_t HOI = IBOI->m_nHeight;
-        if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0) {
+        if ((int)(WOI + RDWI) < 0 || (int)(HOI + RDHI) < 0)
           return nullptr;
-        }
+
         std::unique_ptr<CJBig2_GRRDProc> pGRRD(new CJBig2_GRRDProc());
         pGRRD->GRW = WOI + RDWI;
         pGRRD->GRH = HOI + RDHI;
-- 
cgit v1.2.3