Google Git
Sign in
pdfium / pdfium / 5614d119e91264c428396f9eb84afea866011fca^! / .
commit5614d119e91264c428396f9eb84afea866011fca[log] [tgz]
authorNicolas Pena <npm@chromium.org>Wed Oct 25 16:51:20 2017 -0400
committerChromium commit bot <commit-bot@chromium.org>Wed Oct 25 21:16:37 2017 +0000
tree88e45227c892170ccde55088960b1575e505f092
parent96ef1dd84d1d288f7eeb05ce97d19871e912bf64 [diff]
Enforce end of data in CJBig2_ArithDecoder

Quoting the JBIG2 spec: "If B is a 0xFF byte, then B1 (the byte pointed
to by BP+1) is tested. If B1 exceeds 0x8F, then B1 must be one of the
marker codes. The marker code is interpreted as required, and the buffer
pointer remains pointed to the 0xFF prefix of the marker code which
terminates the arithmetically compressed data. 1-bits are then fed to
the decoder until the decoding is complete. This is shown by adding
0xFF00 to the C-register and setting the bit counter CT to 8."

Our implementation is the alternative (faster for software according to
the spec), where only CT is changed to 8.

Reaching this part of the code means we will never read from stream
again so we should be wrapping up the decoding. To ensure this, the
|m_Complete| attribute is set to true if we reach this code again,
which will result in bailing out next time DECODE is called.

Bug: 767156
Change-Id: I434d46bc7914713a065f0e4da079bbc9b5dd216c
Reviewed-on: https://pdfium-review.googlesource.com/16791
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>

diff --git a/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp b/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp
index 45628a8..deba72b 100644
--- a/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp
+++ b/core/fxcodec/jbig2/JBig2_ArithDecoder.cpp

@@ -56,7 +56,7 @@
 }  // namespace
 
 CJBig2_ArithDecoder::CJBig2_ArithDecoder(CJBig2_BitStream* pStream)
-    : m_Complete(false), m_pStream(pStream) {
+    : m_Complete(false), m_FinishedStream(false), m_pStream(pStream) {
   m_B = m_pStream->getCurByte_arith();
   m_C = (m_B ^ 0xff) << 16;
   BYTEIN();
@@ -95,6 +95,12 @@
     B1 = m_pStream->getNextByte_arith();
     if (B1 > 0x8f) {
       m_CT = 8;
+      // If we are here, it means that we have finished decoding data (see JBIG2
+      // spec, Section E.3.4). If we arrive here a second time, we're looping,
+      // so complete decoding.
+      if (m_FinishedStream)
+        m_Complete = true;
+      m_FinishedStream = true;
     } else {
       m_pStream->incByteIdx();
       m_B = B1;

diff --git a/core/fxcodec/jbig2/JBig2_ArithDecoder.h b/core/fxcodec/jbig2/JBig2_ArithDecoder.h
index d4a2dae..c9e29a5 100644
--- a/core/fxcodec/jbig2/JBig2_ArithDecoder.h
+++ b/core/fxcodec/jbig2/JBig2_ArithDecoder.h

@@ -35,6 +35,7 @@
   void ReadValueA();
 
   bool m_Complete;
+  bool m_FinishedStream;
   uint8_t m_B;
   unsigned int m_C;
   unsigned int m_A;