From 76c9a1b146145fc3605f91a807b0bc99d2607a0f Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Mon, 10 Apr 2017 13:14:39 -0400 Subject: Guard against negative shift in jbig2 huffman initialization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Depending on the code table, it's possible to have the largest PREFLEN value in the huffman table to be > 32. This will, potentially, cause the calcuation of ((FIRSTCODE[i - 1] + LENCOUNT[i - 1]) << 1 to overflow the int value and cause a negative shift. This Cl checks the shift value and failes the initialization if we would shift a negative value. Bug: chromium:709781 Change-Id: Ia165a01ba9412e31c5e5a43717d415fcb42eafe5 Reviewed-on: https://pdfium-review.googlesource.com/3990 Reviewed-by: Lei Zhang Reviewed-by: Nicolás Peña Commit-Queue: dsinclair --- core/fxcodec/jbig2/JBig2_HuffmanTable.cpp | 15 +++++++++++---- core/fxcodec/jbig2/JBig2_HuffmanTable.h | 2 +- 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'core/fxcodec') diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp index baf97567fb..3bb6ae620c 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp @@ -97,11 +97,10 @@ bool CJBig2_HuffmanTable::ParseFromCodedBuffer(CJBig2_BitStream* pStream) { ++NTEMP; } - InitCodes(); - return true; + return InitCodes(); } -void CJBig2_HuffmanTable::InitCodes() { +bool CJBig2_HuffmanTable::InitCodes() { int lenmax = 0; for (uint32_t i = 0; i < NTEMP; ++i) lenmax = std::max(PREFLEN[i], lenmax); @@ -115,13 +114,21 @@ void CJBig2_HuffmanTable::InitCodes() { FIRSTCODE[0] = 0; LENCOUNT[0] = 0; for (int i = 1; i <= lenmax; ++i) { - FIRSTCODE[i] = (FIRSTCODE[i - 1] + LENCOUNT[i - 1]) << 1; + pdfium::base::CheckedNumeric shifted; + shifted = FIRSTCODE[i - 1] + LENCOUNT[i - 1]; + shifted <<= 1; + if (!shifted.IsValid()) + return false; + + FIRSTCODE[i] = shifted.ValueOrDie(); int CURCODE = FIRSTCODE[i]; for (uint32_t j = 0; j < NTEMP; ++j) { if (PREFLEN[j] == i) CODES[j] = CURCODE++; } } + + return true; } void CJBig2_HuffmanTable::ExtendBuffers(bool increment) { diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.h b/core/fxcodec/jbig2/JBig2_HuffmanTable.h index 58a3124881..b49fcebc9c 100644 --- a/core/fxcodec/jbig2/JBig2_HuffmanTable.h +++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.h @@ -35,7 +35,7 @@ class CJBig2_HuffmanTable { private: void ParseFromStandardTable(const JBig2TableLine* pTable); bool ParseFromCodedBuffer(CJBig2_BitStream* pStream); - void InitCodes(); + bool InitCodes(); void ExtendBuffers(bool increment); bool m_bOK; -- cgit v1.2.3