Fix some integer overflows in CJBig2_TRDProc
Bug: 649278
Change-Id: Ib9084f6d9bb7dc7bf3713faa22d3a26822a96681
Reviewed-on: https://pdfium-review.googlesource.com/16550
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
diff --git a/core/fxcodec/jbig2/JBig2_TrdProc.cpp b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
index d513637..2724d1d 100644
--- a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_TrdProc.cpp
@@ -249,10 +249,11 @@
}
auto SBREG = pdfium::MakeUnique<CJBig2_Image>(SBW, SBH);
SBREG->fill(SBDEFPIXEL);
- int32_t STRIPT;
- if (!pIADT->decode(pArithDecoder, &STRIPT))
+ int32_t INITIAL_STRIPT;
+ if (!pIADT->decode(pArithDecoder, &INITIAL_STRIPT))
return nullptr;
+ FX_SAFE_INT32 STRIPT = INITIAL_STRIPT;
STRIPT *= SBSTRIPS;
STRIPT = -STRIPT;
int32_t FIRSTS = 0;
@@ -287,7 +288,11 @@
if (SBSTRIPS != 1)
pIAIT->decode(pArithDecoder, &CURT);
- int32_t TI = STRIPT + CURT;
+ FX_SAFE_INT32 SAFE_TI = STRIPT + CURT;
+ if (!SAFE_TI.IsValid())
+ return nullptr;
+
+ int32_t TI = SAFE_TI.ValueOrDie();
uint32_t IDI;
pIAID->decode(pArithDecoder, &IDI);
if (IDI >= SBNUMSYMS)