Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick a48de319c521 from pdfium (#33715)
* chore: cherry-pick a48de319c521 from pdfium * Update config.json * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
- Loading branch information
1 parent
e11e12d
commit 458a843
Showing
3 changed files
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| cherry-pick-a48de319c521.patch |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
| From: Tom Sepez <tsepez@chromium.org> | ||
| Date: Thu, 16 Dec 2021 23:53:35 +0000 | ||
| Subject: Use safe arithmetic in CJBig2_Context::ParseSymbolDict() | ||
|
|
||
| These should be mitigated by size checks higher up, but it wouldn't | ||
| hurt to be sure. | ||
|
|
||
| Bug: chromium:1280743 | ||
| Change-Id: I03c46e3d11316a9f9634256bd0e2394548d2681e | ||
| Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/88290 | ||
| Reviewed-by: Lei Zhang <thestig@chromium.org> | ||
| Commit-Queue: Tom Sepez <tsepez@chromium.org> | ||
|
|
||
| diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp | ||
| index 083e95ba4c16c21f5f3934df92e54dbb6ee4fe88..08bdb253f32a2a6c393af6246b88440d837876d9 100644 | ||
| --- a/core/fxcodec/jbig2/JBig2_Context.cpp | ||
| +++ b/core/fxcodec/jbig2/JBig2_Context.cpp | ||
| @@ -409,28 +409,31 @@ JBig2_Result CJBig2_Context::ParseSymbolDict(CJBig2_Segment* pSegment) { | ||
| return JBig2_Result::kFailure; | ||
| } | ||
| CJBig2_Segment* pLRSeg = nullptr; | ||
| - pSymbolDictDecoder->SDNUMINSYMS = 0; | ||
| + FX_SAFE_UINT32 dwNumSyms = 0; | ||
| for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) { | ||
| CJBig2_Segment* pSeg = | ||
| FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]); | ||
| if (pSeg->m_cFlags.s.type == 0) { | ||
| - pSymbolDictDecoder->SDNUMINSYMS += pSeg->m_SymbolDict->NumImages(); | ||
| + dwNumSyms += pSeg->m_SymbolDict->NumImages(); | ||
| pLRSeg = pSeg; | ||
| } | ||
| } | ||
| + pSymbolDictDecoder->SDNUMINSYMS = dwNumSyms.ValueOrDie(); | ||
|
|
||
| std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SDINSYMS; | ||
| if (pSymbolDictDecoder->SDNUMINSYMS != 0) { | ||
| SDINSYMS.reset(FX_Alloc(CJBig2_Image*, pSymbolDictDecoder->SDNUMINSYMS)); | ||
| - uint32_t dwTemp = 0; | ||
| + dwNumSyms = 0; | ||
| for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) { | ||
| CJBig2_Segment* pSeg = | ||
| FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]); | ||
| if (pSeg->m_cFlags.s.type == 0) { | ||
| const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict; | ||
| - for (size_t j = 0; j < dict.NumImages(); ++j) | ||
| - SDINSYMS.get()[dwTemp + j] = dict.GetImage(j); | ||
| - dwTemp += dict.NumImages(); | ||
| + for (uint32_t j = 0; j < dict.NumImages(); ++j) { | ||
| + uint32_t dwTemp = (dwNumSyms + j).ValueOrDie(); | ||
| + SDINSYMS.get()[dwTemp] = dict.GetImage(j); | ||
| + } | ||
| + dwNumSyms += dict.NumImages(); | ||
| } | ||
| } | ||
| } | ||
| @@ -624,27 +627,30 @@ JBig2_Result CJBig2_Context::ParseTextRegion(CJBig2_Segment* pSegment) { | ||
| return JBig2_Result::kFailure; | ||
| } | ||
|
|
||
| - pTRD->SBNUMSYMS = 0; | ||
| + FX_SAFE_UINT32 dwNumSyms = 0; | ||
| for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) { | ||
| CJBig2_Segment* pSeg = | ||
| FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]); | ||
| if (pSeg->m_cFlags.s.type == 0) { | ||
| - pTRD->SBNUMSYMS += pSeg->m_SymbolDict->NumImages(); | ||
| + dwNumSyms += pSeg->m_SymbolDict->NumImages(); | ||
| } | ||
| } | ||
| + pTRD->SBNUMSYMS = dwNumSyms.ValueOrDie(); | ||
|
|
||
| std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SBSYMS; | ||
| if (pTRD->SBNUMSYMS > 0) { | ||
| SBSYMS.reset(FX_Alloc(CJBig2_Image*, pTRD->SBNUMSYMS)); | ||
| - dwTemp = 0; | ||
| + dwNumSyms = 0; | ||
| for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) { | ||
| CJBig2_Segment* pSeg = | ||
| FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]); | ||
| if (pSeg->m_cFlags.s.type == 0) { | ||
| const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict; | ||
| - for (size_t j = 0; j < dict.NumImages(); ++j) | ||
| - SBSYMS.get()[dwTemp + j] = dict.GetImage(j); | ||
| - dwTemp += dict.NumImages(); | ||
| + for (uint32_t j = 0; j < dict.NumImages(); ++j) { | ||
| + uint32_t dwIndex = (dwNumSyms + j).ValueOrDie(); | ||
| + SBSYMS.get()[dwIndex] = dict.GetImage(j); | ||
| + } | ||
| + dwNumSyms += dict.NumImages(); | ||
| } | ||
| } | ||
| pTRD->SBSYMS = SBSYMS.get(); |