From 3cb71268405f64b98109853bd3b59e50db58692d Mon Sep 17 00:00:00 2001 From: Henrique Nakashima Date: Thu, 14 Sep 2017 17:31:07 -0400 Subject: Fix decoding of JBIG2 integers for values with large magnitude. Now considering anything not representable by a 32-bit signed int as OOB rather than decoding some arbitrary overflowed value. Bug: chromium:761666 Change-Id: I00f5a3abadca51f9bedc5e5d78f7f184040c2f33 Reviewed-on: https://pdfium-review.googlesource.com/14010 Commit-Queue: Henrique Nakashima Reviewed-by: Tom Sepez Reviewed-by: Ryan Harrison --- core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'core/fxcodec') diff --git a/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp b/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp index 1701538b4f..7ed7702964 100644 --- a/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp +++ b/core/fxcodec/jbig2/JBig2_ArithIntDecoder.cpp @@ -49,6 +49,9 @@ CJBig2_ArithIntDecoder::~CJBig2_ArithIntDecoder() {} bool CJBig2_ArithIntDecoder::decode(CJBig2_ArithDecoder* pArithDecoder, int* nResult) { + // This decoding algorithm is explained in "Annex A - Arithmetic Integer + // Decoding Procedure" on page 113 of the JBIG2 specification (ISO/IEC FCD + // 14492). int PREV = 1; const int S = pArithDecoder->DECODE(&m_IAx[PREV]); PREV = ShiftOr(PREV, S); @@ -64,8 +67,17 @@ bool CJBig2_ArithIntDecoder::decode(CJBig2_ArithDecoder* pArithDecoder, PREV = (PREV & 511) | 256; nTemp = ShiftOr(nTemp, D); } - int nValue = g_ArithIntDecodeData[nDecodeDataIndex].nValue; - nValue += nTemp; + pdfium::base::CheckedNumeric safeValue = + g_ArithIntDecodeData[nDecodeDataIndex].nValue; + safeValue += nTemp; + + // Value does not fit in int. + if (!safeValue.IsValid()) { + *nResult = 0; + return false; + } + + int nValue = safeValue.ValueOrDie(); if (S == 1 && nValue > 0) nValue = -nValue; -- cgit v1.2.3