Merge to XFA: Fix a heap overflow in CJBig2_Context::parseSymbolDict

BUG=476107
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1080893002

diff --git a/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h b/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h
index 214688d..33bbe39 100644 (file)
--- a/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h
+++ b/core/src/fxcodec/jbig2/JBig2_ArithDecoder.h
@@ -72,6 +72,10 @@ inline void CJBig2_ArithDecoder::BYTEIN()
 }
 inline int CJBig2_ArithDecoder::DECODE(JBig2ArithCtx *pCX)
 {
+    if (!pCX || pCX->I >= JBIG2_QE_NUM) {
+        return 0;
+    }
+
     int D;
     const JBig2ArithQe * qe = &QeTable[pCX->I];
     A = A - qe->Qe;

diff --git a/core/src/fxcodec/jbig2/JBig2_ArithQe.h b/core/src/fxcodec/jbig2/JBig2_ArithQe.h
index 5405e42..8a723be 100644 (file)
--- a/core/src/fxcodec/jbig2/JBig2_ArithQe.h
+++ b/core/src/fxcodec/jbig2/JBig2_ArithQe.h
@@ -13,4 +13,5 @@ typedef struct {
     unsigned int nSwitch;
 } JBig2ArithQe;
 extern const JBig2ArithQe QeTable[];
+extern const unsigned int JBIG2_QE_NUM;
 #endif

diff --git a/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp b/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp
index 6179317..53faab4 100644 (file)
--- a/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_GeneralDecoder.cpp
@@ -61,6 +61,8 @@ extern const JBig2ArithQe QeTable[] = {
     { 0x5601, 46, 46, 0 }
 };
 
+extern const unsigned int JBIG2_QE_NUM = sizeof(QeTable) / sizeof(JBig2ArithQe);
+
 CJBig2_Image *CJBig2_GRDProc::decode_Arith(CJBig2_ArithDecoder *pArithDecoder, JBig2ArithCtx *gbContext)
 {
     if (GBW == 0 || GBH == 0) {