From cca452eab645fd6b0e63ab2fd1dd553277df111e Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Mon, 23 Apr 2018 16:29:47 +0000 Subject: Add more image size checks in CJBig2_Context. BUG=chromium:834557 Change-Id: I8fb8d74f87097b39608c3f83f2fa1c4e49e69980 Reviewed-on: https://pdfium-review.googlesource.com/31170 Commit-Queue: Ryan Harrison Reviewed-by: Ryan Harrison --- core/fxcodec/jbig2/JBig2_Context.cpp | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'core/fxcodec/jbig2') diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp index 3d823c7b19..57bae1c617 100644 --- a/core/fxcodec/jbig2/JBig2_Context.cpp +++ b/core/fxcodec/jbig2/JBig2_Context.cpp @@ -637,6 +637,10 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) { m_pStream->readShortInteger(&wFlags) != 0) { return JBIG2_ERROR_TOO_SHORT; } + if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 || + ri.height > JBIG2_MAX_IMAGE_SIZE) { + return JBIG2_ERROR_FATAL; + } auto pTRD = pdfium::MakeUnique(); pTRD->SBW = ri.width; @@ -984,6 +988,11 @@ int32_t CJBig2_Context::parseHalftoneRegion(CJBig2_Segment* pSegment, if (pHRD->HGW == 0 || pHRD->HGH == 0) return JBIG2_ERROR_FATAL; + if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 || + ri.height > JBIG2_MAX_IMAGE_SIZE) { + return JBIG2_ERROR_FATAL; + } + pHRD->HBW = ri.width; pHRD->HBH = ri.height; pHRD->HMMR = cFlags & 0x01; @@ -1148,6 +1157,11 @@ int32_t CJBig2_Context::parseGenericRefinementRegion(CJBig2_Segment* pSegment) { m_pStream->read1Byte(&cFlags) != 0) { return JBIG2_ERROR_TOO_SHORT; } + if (ri.width <= 0 || ri.width > JBIG2_MAX_IMAGE_SIZE || ri.height <= 0 || + ri.height > JBIG2_MAX_IMAGE_SIZE) { + return JBIG2_ERROR_FATAL; + } + auto pGRRD = pdfium::MakeUnique(); pGRRD->GRW = ri.width; pGRRD->GRH = ri.height; -- cgit v1.2.3