[M98] Use safe arithmetic in CJBig2_Context::ParseSymbolDict()
These should be mitigated by size checks higher up, but it wouldn't
hurt to be sure.
Bug: chromium:1280743
Change-Id: I03c46e3d11316a9f9634256bd0e2394548d2681e
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/88290
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit a48de319c5210da726cb3ae7eea0ab0ebf9a2c02)
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/89290
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 2a60cfd..f19c98d 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -408,28 +408,31 @@
return JBig2_Result::kFailure;
}
CJBig2_Segment* pLRSeg = nullptr;
- pSymbolDictDecoder->SDNUMINSYMS = 0;
+ FX_SAFE_UINT32 dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
- pSymbolDictDecoder->SDNUMINSYMS += pSeg->m_SymbolDict->NumImages();
+ dwNumSyms += pSeg->m_SymbolDict->NumImages();
pLRSeg = pSeg;
}
}
+ pSymbolDictDecoder->SDNUMINSYMS = dwNumSyms.ValueOrDie();
std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SDINSYMS;
if (pSymbolDictDecoder->SDNUMINSYMS != 0) {
SDINSYMS.reset(FX_Alloc(CJBig2_Image*, pSymbolDictDecoder->SDNUMINSYMS));
- uint32_t dwTemp = 0;
+ dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
- for (size_t j = 0; j < dict.NumImages(); ++j)
- SDINSYMS.get()[dwTemp + j] = dict.GetImage(j);
- dwTemp += dict.NumImages();
+ for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+ uint32_t dwTemp = (dwNumSyms + j).ValueOrDie();
+ SDINSYMS.get()[dwTemp] = dict.GetImage(j);
+ }
+ dwNumSyms += dict.NumImages();
}
}
}
@@ -622,27 +625,30 @@
return JBig2_Result::kFailure;
}
- pTRD->SBNUMSYMS = 0;
+ FX_SAFE_UINT32 dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
- pTRD->SBNUMSYMS += pSeg->m_SymbolDict->NumImages();
+ dwNumSyms += pSeg->m_SymbolDict->NumImages();
}
}
+ pTRD->SBNUMSYMS = dwNumSyms.ValueOrDie();
std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SBSYMS;
if (pTRD->SBNUMSYMS > 0) {
SBSYMS.reset(FX_Alloc(CJBig2_Image*, pTRD->SBNUMSYMS));
- dwTemp = 0;
+ dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
- for (size_t j = 0; j < dict.NumImages(); ++j)
- SBSYMS.get()[dwTemp + j] = dict.GetImage(j);
- dwTemp += dict.NumImages();
+ for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+ uint32_t dwIndex = (dwNumSyms + j).ValueOrDie();
+ SBSYMS.get()[dwIndex] = dict.GetImage(j);
+ }
+ dwNumSyms += dict.NumImages();
}
}
pTRD->SBSYMS = SBSYMS.get();