Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick a48de319c521 from pdfium #33715

Merged
merged 3 commits into from Apr 12, 2022
+96 −0
Merged

chore: cherry-pick a48de319c521 from pdfium #33715

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
255e9f9
chore: cherry-pick a48de319c521 from pdfium
nornagon Apr 11, 2022
c66ff0a
Update config.json
nornagon Apr 11, 2022
6a29128
chore: update patches
patchup[bot] Apr 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions patches/config.json
View file
Open in desktop
Expand Up @@ -5,6 +5,8 @@

"src/electron/patches/webrtc": "src/third_party/webrtc",

"src/electron/patches/pdfium": "src/third_party/pdfium",

"src/electron/patches/v8": "src/v8",

"src/electron/patches/node": "src/third_party/electron_node",
Expand Down
1 change: 1 addition & 0 deletions patches/pdfium/.patches
View file
Open in desktop
@@ -0,0 +1 @@
cherry-pick-a48de319c521.patch
93 changes: 93 additions & 0 deletions patches/pdfium/cherry-pick-a48de319c521.patch
View file
Open in desktop
@@ -0,0 +1,93 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Thu, 16 Dec 2021 23:53:35 +0000
Subject: Use safe arithmetic in CJBig2_Context::ParseSymbolDict()

These should be mitigated by size checks higher up, but it wouldn't
hurt to be sure.

Bug: chromium:1280743
Change-Id: I03c46e3d11316a9f9634256bd0e2394548d2681e
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/88290
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 083e95ba4c16c21f5f3934df92e54dbb6ee4fe88..08bdb253f32a2a6c393af6246b88440d837876d9 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -409,28 +409,31 @@ JBig2_Result CJBig2_Context::ParseSymbolDict(CJBig2_Segment* pSegment) {
return JBig2_Result::kFailure;
}
CJBig2_Segment* pLRSeg = nullptr;
- pSymbolDictDecoder->SDNUMINSYMS = 0;
+ FX_SAFE_UINT32 dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
- pSymbolDictDecoder->SDNUMINSYMS += pSeg->m_SymbolDict->NumImages();
+ dwNumSyms += pSeg->m_SymbolDict->NumImages();
pLRSeg = pSeg;
}
}
+ pSymbolDictDecoder->SDNUMINSYMS = dwNumSyms.ValueOrDie();

std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SDINSYMS;
if (pSymbolDictDecoder->SDNUMINSYMS != 0) {
SDINSYMS.reset(FX_Alloc(CJBig2_Image*, pSymbolDictDecoder->SDNUMINSYMS));
- uint32_t dwTemp = 0;
+ dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
- for (size_t j = 0; j < dict.NumImages(); ++j)
- SDINSYMS.get()[dwTemp + j] = dict.GetImage(j);
- dwTemp += dict.NumImages();
+ for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+ uint32_t dwTemp = (dwNumSyms + j).ValueOrDie();
+ SDINSYMS.get()[dwTemp] = dict.GetImage(j);
+ }
+ dwNumSyms += dict.NumImages();
}
}
}
@@ -624,27 +627,30 @@ JBig2_Result CJBig2_Context::ParseTextRegion(CJBig2_Segment* pSegment) {
return JBig2_Result::kFailure;
}

- pTRD->SBNUMSYMS = 0;
+ FX_SAFE_UINT32 dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
- pTRD->SBNUMSYMS += pSeg->m_SymbolDict->NumImages();
+ dwNumSyms += pSeg->m_SymbolDict->NumImages();
}
}
+ pTRD->SBNUMSYMS = dwNumSyms.ValueOrDie();

std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SBSYMS;
if (pTRD->SBNUMSYMS > 0) {
SBSYMS.reset(FX_Alloc(CJBig2_Image*, pTRD->SBNUMSYMS));
- dwTemp = 0;
+ dwNumSyms = 0;
for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
CJBig2_Segment* pSeg =
FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
if (pSeg->m_cFlags.s.type == 0) {
const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
- for (size_t j = 0; j < dict.NumImages(); ++j)
- SBSYMS.get()[dwTemp + j] = dict.GetImage(j);
- dwTemp += dict.NumImages();
+ for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+ uint32_t dwIndex = (dwNumSyms + j).ValueOrDie();
+ SBSYMS.get()[dwIndex] = dict.GetImage(j);
+ }
+ dwNumSyms += dict.NumImages();
}
}
pTRD->SBSYMS = SBSYMS.get();