commit a4c4d0ad14042202859e20ee10b7e704f1e3499b
author Nico Weber <thakis@chromium.org> Mon Nov 10 11:48:16 2025 -0800
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Nov 10 11:48:16 2025 -0800
tree 1c526e438ac9c2ced1cdcf0a2dc3d0a69a180b81
parent debf26bdca27c26a3dd44049d937b019e77f5267

Fix reading refine-one symbols in huffman symbol dictionaries using refinement

The symbol ID table is a uniform huffman table, which is just a
roundabout way of saying that every symbol is a uint that needs exactly
N bits.

The test will go into the corpus tests.

Bug: 459326233
Change-Id: Icc3b81430f34eb450771ba5bed31e13d1236beaf
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/137910
Commit-Queue: Nico Weber <thakis@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Nico Weber <thakis@google.com>

core/fxcodec/jbig2/JBig2_SddProc.cpp

diff --git a/core/fxcodec/jbig2/JBig2_SddProc.cpp b/core/fxcodec/jbig2/JBig2_SddProc.cpp
index 9f2c148..2d5a182 100644
--- a/core/fxcodec/jbig2/JBig2_SddProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_SddProc.cpp
@@ -378,22 +378,17 @@
             nTmp++;
           }
           uint8_t SBSYMCODELEN = (uint8_t)nTmp;
-          uint32_t uVal = 0;
-          uint32_t IDI;
-          for (;;) {
+          uint32_t IDI = 0;
+          for (uint32_t n = 0; n < SBSYMCODELEN; ++n) {
             if (pStream->read1Bit(&nTmp) != 0) {
               return nullptr;
             }
 
-            uVal = (uVal << 1) | nTmp;
-            if (uVal >= SBNUMSYMS) {
-              return nullptr;
-            }
+            IDI = (IDI << 1) | nTmp;
+          }
 
-            IDI = SBSYMCODELEN == 0 ? uVal : SBNUMSYMS;
-            if (IDI < SBNUMSYMS) {
-              break;
-            }
+          if (IDI >= SBNUMSYMS) {
+            return nullptr;
           }
 
           CJBig2_Image* sbsyms_idi = GetImage(IDI, SDNEWSYMS);