commit ebdba614b9683ddd1d50e8960639bc54c9d4bb7a
author Nicolas Pena <npm@chromium.org> Mon Oct 23 14:24:06 2017 -0400
committer Chromium commit bot <commit-bot@chromium.org> Mon Oct 23 22:40:14 2017 +0000
tree 97ac6040c9a9e33d6381f23effd2ea54129c499a
parent c9d0bcccbd4cc460bb3e26f767eea2d33a5b48b6

Fix some integer overflows in CJBig2_TRDProc

Bug: 649278
Change-Id: Ib9084f6d9bb7dc7bf3713faa22d3a26822a96681
Reviewed-on: https://pdfium-review.googlesource.com/16550
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>

core/fxcodec/jbig2/JBig2_TrdProc.cpp

diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index d513637..2724d1d 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -249,10 +249,11 @@
   }
   auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
   SBREG->fill(SBDEFPIXEL);
-  int32_t STRIPT;
-  if (!pIADT->decode(pArithDecoder, &STRIPT))
+  int32_t INITIAL_STRIPT;
+  if (!pIADT->decode(pArithDecoder, &INITIAL_STRIPT))
     return nullptr;
 
+  FX_SAFE_INT32 STRIPT = INITIAL_STRIPT;
   STRIPT *= SBSTRIPS;
   STRIPT = -STRIPT;
   int32_t FIRSTS = 0;
@@ -287,7 +288,11 @@
       if (SBSTRIPS != 1)
         pIAIT->decode(pArithDecoder, &CURT);
 
-      int32_t TI = STRIPT + CURT;
+      FX_SAFE_INT32 SAFE_TI = STRIPT + CURT;
+      if (!SAFE_TI.IsValid())
+        return nullptr;
+
+      int32_t TI = SAFE_TI.ValueOrDie();
       uint32_t IDI;
       pIAID->decode(pArithDecoder, &IDI);
       if (IDI >= SBNUMSYMS)