From 5e3b976529f18deb389ed608da88b895eb115d72 Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Tue, 3 Jan 2017 14:57:14 -0500 Subject: Check for overflow in JBig2 Huffman decoder This CL updates the Huffman decoder in the JBig2 codex to check the low field does not overflow. BUG=chromium:675236 Change-Id: I7f5f6fe8329df4ece6f317fac521fe2373686479 Reviewed-on: https://pdfium-review.googlesource.com/2131 Reviewed-by: Tom Sepez Commit-Queue: dsinclair --- core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'core/fxcodec') diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp index 26f0e52310..baf97567fb 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -13,6 +13,7 @@ #include "core/fxcodec/jbig2/JBig2_Define.h" #include "core/fxcodec/jbig2/JBig2_HuffmanTable_Standard.h" #include "core/fxcrt/fx_memory.h" +#include "third_party/base/numerics/safe_math.h" CJBig2_HuffmanTable::CJBig2_HuffmanTable(const JBig2TableLine* pTable, uint32_t nLines, @@ -61,17 +62,19 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) { return false; ExtendBuffers(false); - int cur_low = low; + pdfium::base::CheckedNumeric cur_low = low; do { if ((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) || (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1) || (static_cast(RANGELEN[NTEMP]) >= 8 * sizeof(cur_low))) { return false; } - RANGELOW[NTEMP] = cur_low; + RANGELOW[NTEMP] = cur_low.ValueOrDie(); cur_low += (1 << RANGELEN[NTEMP]); + if (!cur_low.IsValid()) + return false; ExtendBuffers(true); - } while (cur_low < high); + } while (cur_low.ValueOrDie() < high); if (pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) return false; -- cgit v1.2.3