Reject JBig2 Huffman table with too large shift value
BUG=chromium:653044
Review-Url: https://codereview.chromium.org/2397783002
diff --git a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
index 3b34018..26f0e52 100644
--- a/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
+++ b/core/fxcodec/jbig2/JBig2_HuffmanTable.cpp
@@ -64,7 +64,8 @@
int cur_low = low;
do {
if ((pStream->readNBits(HTPS, &PREFLEN[NTEMP]) == -1) ||
- (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1)) {
+ (pStream->readNBits(HTRS, &RANGELEN[NTEMP]) == -1) ||
+ (static_cast<size_t>(RANGELEN[NTEMP]) >= 8 * sizeof(cur_low))) {
return false;
}
RANGELOW[NTEMP] = cur_low;