From 36b3d19281e2911a97d6ce84538a3ae575ac38a7 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 4 May 2018 18:49:57 +0000
Subject: Check CJBig2_Image is valid before filling.

Skip a lot of work that will all fail anyway.

BUG=chromium:838347

Change-Id: Iba45120e436b5547e106feb27dadea92cc948258
Reviewed-on: https://pdfium-review.googlesource.com/32053
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 core/fxcodec/jbig2/JBig2_GrdProc.cpp  | 20 ++++++++++++++++----
 core/fxcodec/jbig2/JBig2_GrrdProc.cpp | 10 ++++++++--
 core/fxcodec/jbig2/JBig2_HtrdProc.cpp |  3 +++
 core/fxcodec/jbig2/JBig2_TrdProc.cpp  | 24 +++++++++++++++++-------
 4 files changed, 44 insertions(+), 13 deletions(-)

(limited to 'core')

diff --git a/core/fxcodec/jbig2/JBig2_GrdProc.cpp b/core/fxcodec/jbig2/JBig2_GrdProc.cpp
index 5343df269e..215d6fe6cf 100644
--- a/core/fxcodec/jbig2/JBig2_GrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_GrdProc.cpp
@@ -166,9 +166,12 @@ std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate0Opt3(
 std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate0Unopt(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* gbContext) {
-  int LTP = 0;
   auto GBREG = pdfium::MakeUnique<CJBig2_Image>(GBW, GBH);
+  if (!GBREG->data())
+    return nullptr;
+
   GBREG->fill(0);
+  int LTP = 0;
   for (uint32_t h = 0; h < GBH; h++) {
     if (TPGDON) {
       if (pArithDecoder->IsComplete())
@@ -314,9 +317,12 @@ std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate1Opt3(
 std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate1Unopt(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* gbContext) {
-  int LTP = 0;
   auto GBREG = pdfium::MakeUnique<CJBig2_Image>(GBW, GBH);
+  if (!GBREG->data())
+    return nullptr;
+
   GBREG->fill(0);
+  int LTP = 0;
   for (uint32_t h = 0; h < GBH; h++) {
     if (TPGDON) {
       if (pArithDecoder->IsComplete())
@@ -460,9 +466,12 @@ std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate2Opt3(
 std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate2Unopt(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* gbContext) {
-  int LTP = 0;
   auto GBREG = pdfium::MakeUnique<CJBig2_Image>(GBW, GBH);
+  if (!GBREG->data())
+    return nullptr;
+
   GBREG->fill(0);
+  int LTP = 0;
   for (uint32_t h = 0; h < GBH; h++) {
     if (TPGDON) {
       if (pArithDecoder->IsComplete())
@@ -592,9 +601,12 @@ std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate3Opt3(
 std::unique_ptr<CJBig2_Image> CJBig2_GRDProc::DecodeArithTemplate3Unopt(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* gbContext) {
-  int LTP = 0;
   auto GBREG = pdfium::MakeUnique<CJBig2_Image>(GBW, GBH);
+  if (!GBREG->data())
+    return nullptr;
+
   GBREG->fill(0);
+  int LTP = 0;
   for (uint32_t h = 0; h < GBH; h++) {
     if (TPGDON) {
       if (pArithDecoder->IsComplete())
diff --git a/core/fxcodec/jbig2/JBig2_GrrdProc.cpp b/core/fxcodec/jbig2/JBig2_GrrdProc.cpp
index fa4d435a92..8e4d8c005b 100644
--- a/core/fxcodec/jbig2/JBig2_GrrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_GrrdProc.cpp
@@ -37,9 +37,12 @@ std::unique_ptr<CJBig2_Image> CJBig2_GRRDProc::Decode(
 std::unique_ptr<CJBig2_Image> CJBig2_GRRDProc::DecodeTemplate0Unopt(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* grContext) {
-  int LTP = 0;
   auto GRREG = pdfium::MakeUnique<CJBig2_Image>(GRW, GRH);
+  if (!GRREG->data())
+    return nullptr;
+
   GRREG->fill(0);
+  int LTP = 0;
   for (uint32_t h = 0; h < GRH; h++) {
     if (TPGRON) {
       if (pArithDecoder->IsComplete())
@@ -278,9 +281,12 @@ std::unique_ptr<CJBig2_Image> CJBig2_GRRDProc::DecodeTemplate0Opt(
 std::unique_ptr<CJBig2_Image> CJBig2_GRRDProc::DecodeTemplate1Unopt(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* grContext) {
-  int LTP = 0;
   auto GRREG = pdfium::MakeUnique<CJBig2_Image>(GRW, GRH);
+  if (!GRREG->data())
+    return nullptr;
+
   GRREG->fill(0);
+  int LTP = 0;
   for (uint32_t h = 0; h < GRH; h++) {
     if (TPGRON) {
       if (pArithDecoder->IsComplete())
diff --git a/core/fxcodec/jbig2/JBig2_HtrdProc.cpp b/core/fxcodec/jbig2/JBig2_HtrdProc.cpp
index fb2257e853..7d11482225 100644
--- a/core/fxcodec/jbig2/JBig2_HtrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_HtrdProc.cpp
@@ -117,6 +117,9 @@ std::unique_ptr<CJBig2_Image> CJBig2_HTRDProc::DecodeMMR(
 std::unique_ptr<CJBig2_Image> CJBig2_HTRDProc::DecodeImage(
     const std::vector<std::unique_ptr<CJBig2_Image>>& GSPLANES) {
   auto HTREG = pdfium::MakeUnique<CJBig2_Image>(HBW, HBH);
+  if (!HTREG->data())
+    return nullptr;
+
   HTREG->fill(HDEFPIXEL);
   std::vector<uint32_t> GSVALS(HGW * HGH);
   for (uint32_t y = 0; y < HGH; ++y) {
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index ff94309bc4..258014ab10 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -23,10 +23,13 @@ CJBig2_TRDProc::~CJBig2_TRDProc() {}
 std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeHuffman(
     CJBig2_BitStream* pStream,
     JBig2ArithCtx* grContext) {
-  auto pHuffmanDecoder = pdfium::MakeUnique<CJBig2_HuffmanDecoder>(pStream);
   auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
+  if (!SBREG->data())
+    return nullptr;
+
   SBREG->fill(SBDEFPIXEL);
   int32_t INITIAL_STRIPT;
+  auto pHuffmanDecoder = pdfium::MakeUnique<CJBig2_HuffmanDecoder>(pStream);
   if (pHuffmanDecoder->DecodeAValue(SBHUFFDT, &INITIAL_STRIPT) != 0)
     return nullptr;
 
@@ -224,7 +227,19 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeArith(
     CJBig2_ArithDecoder* pArithDecoder,
     JBig2ArithCtx* grContext,
     JBig2IntDecoderState* pIDS) {
+  auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
+  if (!SBREG->data())
+    return nullptr;
+
   MaybeOwned<CJBig2_ArithIntDecoder> pIADT;
+  if (pIDS)
+    pIADT = pIDS->IADT;
+  else
+    pIADT = pdfium::MakeUnique<CJBig2_ArithIntDecoder>();
+  int32_t INITIAL_STRIPT;
+  if (!pIADT->Decode(pArithDecoder, &INITIAL_STRIPT))
+    return nullptr;
+
   MaybeOwned<CJBig2_ArithIntDecoder> pIAFS;
   MaybeOwned<CJBig2_ArithIntDecoder> pIADS;
   MaybeOwned<CJBig2_ArithIntDecoder> pIAIT;
@@ -235,7 +250,6 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeArith(
   MaybeOwned<CJBig2_ArithIntDecoder> pIARDY;
   MaybeOwned<CJBig2_ArithIaidDecoder> pIAID;
   if (pIDS) {
-    pIADT = pIDS->IADT;
     pIAFS = pIDS->IAFS;
     pIADS = pIDS->IADS;
     pIAIT = pIDS->IAIT;
@@ -246,7 +260,6 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeArith(
     pIARDY = pIDS->IARDY;
     pIAID = pIDS->IAID;
   } else {
-    pIADT = pdfium::MakeUnique<CJBig2_ArithIntDecoder>();
     pIAFS = pdfium::MakeUnique<CJBig2_ArithIntDecoder>();
     pIADS = pdfium::MakeUnique<CJBig2_ArithIntDecoder>();
     pIAIT = pdfium::MakeUnique<CJBig2_ArithIntDecoder>();
@@ -257,11 +270,8 @@ std::unique_ptr<CJBig2_Image> CJBig2_TRDProc::DecodeArith(
     pIARDY = pdfium::MakeUnique<CJBig2_ArithIntDecoder>();
     pIAID = pdfium::MakeUnique<CJBig2_ArithIaidDecoder>(SBSYMCODELEN);
   }
-  auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
+
   SBREG->fill(SBDEFPIXEL);
-  int32_t INITIAL_STRIPT;
-  if (!pIADT->Decode(pArithDecoder, &INITIAL_STRIPT))
-    return nullptr;
 
   FX_SAFE_INT32 STRIPT = INITIAL_STRIPT;
   STRIPT *= SBSTRIPS;
-- 
cgit v1.2.3