From ebdba614b9683ddd1d50e8960639bc54c9d4bb7a Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 23 Oct 2017 14:24:06 -0400
Subject: Fix some integer overflows in CJBig2_TRDProc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: 649278
Change-Id: Ib9084f6d9bb7dc7bf3713faa22d3a26822a96681
Reviewed-on: https://pdfium-review.googlesource.com/16550
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
---
 core/fxcodec/jbig2/JBig2_TrdProc.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'core/fxcodec')

diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index d513637a9d..2724d1de49 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -249,10 +249,11 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith(
   }
   auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
   SBREG->fill(SBDEFPIXEL);
-  int32_t STRIPT;
-  if (!pIADT->decode(pArithDecoder, &STRIPT))
+  int32_t INITIAL_STRIPT;
+  if (!pIADT->decode(pArithDecoder, &INITIAL_STRIPT))
     return nullptr;
 
+  FX_SAFE_INT32 STRIPT = INITIAL_STRIPT;
   STRIPT *= SBSTRIPS;
   STRIPT = -STRIPT;
   int32_t FIRSTS = 0;
@@ -287,7 +288,11 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::decode_Arith(
       if (SBSTRIPS != 1)
         pIAIT->decode(pArithDecoder, &CURT);
 
-      int32_t TI = STRIPT + CURT;
+      FX_SAFE_INT32 SAFE_TI = STRIPT + CURT;
+      if (!SAFE_TI.IsValid())
+        return nullptr;
+
+      int32_t TI = SAFE_TI.ValueOrDie();
       uint32_t IDI;
       pIAID->decode(pArithDecoder, &IDI);
       if (IDI >= SBNUMSYMS)
-- 
cgit v1.2.3