M69: Fix a JBIG2 decoding regression.
When trying to sanity check SBNUMINSTANCES for JBIG2 text regions for
https://crbug.com/837192, the check did not take data encoding into
account. Fix this by assuming there is a potential for 16:1 compression
in the lossless encoding.
TBR=rharrison@chromium.org
BUG=chromium:871848
Change-Id: I991dacff9fbefa4e302f5ce92a355902ef94308a
Reviewed-on: https://pdfium-review.googlesource.com/39790
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit b0fc6e958634d919349e2a7611dd99f121e41d7d)
Reviewed-on: https://pdfium-review.googlesource.com/39993
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index ec81990..5bf9df9 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -649,13 +649,13 @@
if (m_pStream->readInteger(&pTRD->SBNUMINSTANCES) != 0)
return JBig2_Result::kFailure;
- // Assume each instance takes at least 4 bits. That means for a stream of
- // length N, there can be at most 2N instances. This is an extremely
+ // Assume each instance takes at least 0.25 bits when encoded. That means for
+ // a stream of length N bytes, there can be at most 32N instances. This is a
// conservative estimate just to sanitize the |SBNUMINSTANCES| value.
// Use FX_SAFE_INT32 to be safe, though it should never overflow because PDFs
// have a maximum size of roughly 11 GB.
FX_SAFE_INT32 nMaxStripInstances = m_pStream->getLength();
- nMaxStripInstances *= 2;
+ nMaxStripInstances *= 32;
if (pTRD->SBNUMINSTANCES > nMaxStripInstances.ValueOrDie())
return JBig2_Result::kFailure;
