[Backport] Security bug 1280743

Cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/88290:
Use safe arithmetic in CJBig2_Context::ParseSymbolDict()

These should be mitigated by size checks higher up, but it wouldn't
hurt to be sure.

Bug: chromium:1280743
Change-Id: I03c46e3d11316a9f9634256bd0e2394548d2681e
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 18 insertions, 12 deletions

diff --git a/chromium/third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp b/chromium/third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp
index 8eab1dc6bef..117f707ee9b 100644
--- a/chromium/third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/chromium/third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -409,28 +409,31 @@ JBig2_Result CJBig2_Context::ParseSymbolDict(CJBig2_Segment* pSegment) {
       return JBig2_Result::kFailure;
   }
   CJBig2_Segment* pLRSeg = nullptr;
-  pSymbolDictDecoder->SDNUMINSYMS = 0;
+  FX_SAFE_UINT32 dwNumSyms = 0;
   for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
     CJBig2_Segment* pSeg =
         FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
     if (pSeg->m_cFlags.s.type == 0) {
-      pSymbolDictDecoder->SDNUMINSYMS += pSeg->m_SymbolDict->NumImages();
+      dwNumSyms += pSeg->m_SymbolDict->NumImages();
       pLRSeg = pSeg;
     }
   }
+  pSymbolDictDecoder->SDNUMINSYMS = dwNumSyms.ValueOrDie();
 
   std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SDINSYMS;
   if (pSymbolDictDecoder->SDNUMINSYMS != 0) {
     SDINSYMS.reset(FX_Alloc(CJBig2_Image*, pSymbolDictDecoder->SDNUMINSYMS));
-    uint32_t dwTemp = 0;
+    dwNumSyms = 0;
     for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
       CJBig2_Segment* pSeg =
           FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
       if (pSeg->m_cFlags.s.type == 0) {
         const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
-        for (size_t j = 0; j < dict.NumImages(); ++j)
-          SDINSYMS.get()[dwTemp + j] = dict.GetImage(j);
-        dwTemp += dict.NumImages();
+        for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+          uint32_t dwTemp = (dwNumSyms + j).ValueOrDie();
+          SDINSYMS.get()[dwTemp] = dict.GetImage(j);
+        }
+        dwNumSyms += dict.NumImages();
       }
     }
   }
@@ -624,27 +627,30 @@ JBig2_Result CJBig2_Context::ParseTextRegion(CJBig2_Segment* pSegment) {
       return JBig2_Result::kFailure;
   }
 
-  pTRD->SBNUMSYMS = 0;
+  FX_SAFE_UINT32 dwNumSyms = 0;
   for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
     CJBig2_Segment* pSeg =
         FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
     if (pSeg->m_cFlags.s.type == 0) {
-      pTRD->SBNUMSYMS += pSeg->m_SymbolDict->NumImages();
+      dwNumSyms += pSeg->m_SymbolDict->NumImages();
     }
   }
+  pTRD->SBNUMSYMS = dwNumSyms.ValueOrDie();
 
   std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SBSYMS;
   if (pTRD->SBNUMSYMS > 0) {
     SBSYMS.reset(FX_Alloc(CJBig2_Image*, pTRD->SBNUMSYMS));
-    dwTemp = 0;
+    dwNumSyms = 0;
     for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
       CJBig2_Segment* pSeg =
           FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
       if (pSeg->m_cFlags.s.type == 0) {
         const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
-        for (size_t j = 0; j < dict.NumImages(); ++j)
-          SBSYMS.get()[dwTemp + j] = dict.GetImage(j);
-        dwTemp += dict.NumImages();
+        for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+          uint32_t dwIndex = (dwNumSyms + j).ValueOrDie();
+          SBSYMS.get()[dwIndex] = dict.GetImage(j);
+        }
+        dwNumSyms += dict.NumImages();
       }
     }
     pTRD->SBSYMS = SBSYMS.get();