From 41799881d04a01168700558ff394962b3b318b46 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Wed, 23 Aug 2017 23:40:22 -0700 Subject: Skip decoding of excessively large JBIG2 images. BUG=chromium:749610. Change-Id: I4de7855aec552e6c143e7a8be6b90e44945a0fcb Reviewed-on: https://pdfium-review.googlesource.com/11930 Commit-Queue: dsinclair Reviewed-by: Henrique Nakashima Reviewed-by: dsinclair --- core/fxcodec/jbig2/JBig2_GrdProc.cpp | 7 +++++-- core/fxcodec/jbig2/JBig2_GrrdProc.cpp | 4 +++- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'core') diff --git a/core/fxcodec/jbig2/JBig2_GrdProc.cpp b/core/fxcodec/jbig2/JBig2_GrdProc.cpp index 764723bc6d..1d76f9053d 100644 --- a/core/fxcodec/jbig2/JBig2_GrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_GrdProc.cpp @@ -45,8 +45,10 @@ bool CJBig2_GRDProc::UseTemplate23Opt3() const { std::unique_ptr CJBig2_GRDProc::decode_Arith( CJBig2_ArithDecoder* pArithDecoder, JBig2ArithCtx* gbContext) { - if (GBW == 0 || GBH == 0) + if (GBW == 0 || GBW > JBIG2_MAX_IMAGE_SIZE || GBH == 0 || + GBH > JBIG2_MAX_IMAGE_SIZE) { return pdfium::MakeUnique(GBW, GBH); + } if (GBTEMPLATE == 0) { if (UseTemplate0Opt3()) @@ -639,7 +641,8 @@ FXCODEC_STATUS CJBig2_GRDProc::Start_decode_Arith( CJBig2_ArithDecoder* pArithDecoder, JBig2ArithCtx* gbContext, IFX_Pause* pPause) { - if (GBW == 0 || GBH == 0) { + if (GBW == 0 || GBW > JBIG2_MAX_IMAGE_SIZE || GBH == 0 || + GBH > JBIG2_MAX_IMAGE_SIZE) { m_ProssiveStatus = FXCODEC_STATUS_DECODE_FINISH; return FXCODEC_STATUS_DECODE_FINISH; } diff --git a/core/fxcodec/jbig2/JBig2_GrrdProc.cpp b/core/fxcodec/jbig2/JBig2_GrrdProc.cpp index 11fa39945d..049e50a1a9 100644 --- a/core/fxcodec/jbig2/JBig2_GrrdProc.cpp +++ b/core/fxcodec/jbig2/JBig2_GrrdProc.cpp @@ -16,8 +16,10 @@ std::unique_ptr CJBig2_GRRDProc::decode( CJBig2_ArithDecoder* pArithDecoder, JBig2ArithCtx* grContext) { - if (GRW == 0 || GRH == 0) + if (GRW == 0 || GRW > JBIG2_MAX_IMAGE_SIZE || GRH == 0 || + GRH > JBIG2_MAX_IMAGE_SIZE) { return pdfium::MakeUnique(GRW, GRH); + } if (!GRTEMPLATE) { if ((GRAT[0] == -1) && (GRAT[1] == -1) && (GRAT[2] == -1) && -- cgit v1.2.3