chore: cherry-pick a48de319c521 from pdfium (#33715)

* chore: cherry-pick a48de319c521 from pdfium * Update config.json * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
2026-04-10 03:01:51 -04:00 · 2022-04-12 03:00:25 -07:00
parent e11e12d5b3
commit 458a843174
3 changed files with 96 additions and 0 deletions
--- a/patches/config.json
+++ b/patches/config.json
@@ -5,6 +5,8 @@

  "src/electron/patches/webrtc": "src/third_party/webrtc",

+  "src/electron/patches/pdfium": "src/third_party/pdfium",
+
  "src/electron/patches/v8":  "src/v8",

  "src/electron/patches/node": "src/third_party/electron_node",
--- a/patches/pdfium/.patches
+++ b/patches/pdfium/.patches
@@ -0,0 +1 @@
+cherry-pick-a48de319c521.patch
--- a/patches/pdfium/cherry-pick-a48de319c521.patch
+++ b/patches/pdfium/cherry-pick-a48de319c521.patch
@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <tsepez@chromium.org>
+Date: Thu, 16 Dec 2021 23:53:35 +0000
+Subject: Use safe arithmetic in CJBig2_Context::ParseSymbolDict()
+
+These should be mitigated by size checks higher up, but it wouldn't
+hurt to be sure.
+
+Bug: chromium:1280743
+Change-Id: I03c46e3d11316a9f9634256bd0e2394548d2681e
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/88290
+Reviewed-by: Lei Zhang <thestig@chromium.org>
+Commit-Queue: Tom Sepez <tsepez@chromium.org>
+
+diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
+index 083e95ba4c16c21f5f3934df92e54dbb6ee4fe88..08bdb253f32a2a6c393af6246b88440d837876d9 100644
+--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
+@@ -409,28 +409,31 @@ JBig2_Result CJBig2_Context::ParseSymbolDict(CJBig2_Segment* pSegment) {
+       return JBig2_Result::kFailure;
+   }
+   CJBig2_Segment* pLRSeg = nullptr;
+-  pSymbolDictDecoder->SDNUMINSYMS = 0;
+  FX_SAFE_UINT32 dwNumSyms = 0;
+   for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
+     CJBig2_Segment* pSeg =
+         FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
+     if (pSeg->m_cFlags.s.type == 0) {
+-      pSymbolDictDecoder->SDNUMINSYMS += pSeg->m_SymbolDict->NumImages();
+      dwNumSyms += pSeg->m_SymbolDict->NumImages();
+       pLRSeg = pSeg;
+     }
+   }
+  pSymbolDictDecoder->SDNUMINSYMS = dwNumSyms.ValueOrDie();
+ 
+   std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SDINSYMS;
+   if (pSymbolDictDecoder->SDNUMINSYMS != 0) {
+     SDINSYMS.reset(FX_Alloc(CJBig2_Image*, pSymbolDictDecoder->SDNUMINSYMS));
+-    uint32_t dwTemp = 0;
+    dwNumSyms = 0;
+     for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
+       CJBig2_Segment* pSeg =
+           FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
+       if (pSeg->m_cFlags.s.type == 0) {
+         const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
+-        for (size_t j = 0; j < dict.NumImages(); ++j)
+-          SDINSYMS.get()[dwTemp + j] = dict.GetImage(j);
+-        dwTemp += dict.NumImages();
+        for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+          uint32_t dwTemp = (dwNumSyms + j).ValueOrDie();
+          SDINSYMS.get()[dwTemp] = dict.GetImage(j);
+        }
+        dwNumSyms += dict.NumImages();
+       }
+     }
+   }
+@@ -624,27 +627,30 @@ JBig2_Result CJBig2_Context::ParseTextRegion(CJBig2_Segment* pSegment) {
+       return JBig2_Result::kFailure;
+   }
+ 
+-  pTRD->SBNUMSYMS = 0;
+  FX_SAFE_UINT32 dwNumSyms = 0;
+   for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
+     CJBig2_Segment* pSeg =
+         FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
+     if (pSeg->m_cFlags.s.type == 0) {
+-      pTRD->SBNUMSYMS += pSeg->m_SymbolDict->NumImages();
+      dwNumSyms += pSeg->m_SymbolDict->NumImages();
+     }
+   }
+  pTRD->SBNUMSYMS = dwNumSyms.ValueOrDie();
+ 
+   std::unique_ptr<CJBig2_Image*, FxFreeDeleter> SBSYMS;
+   if (pTRD->SBNUMSYMS > 0) {
+     SBSYMS.reset(FX_Alloc(CJBig2_Image*, pTRD->SBNUMSYMS));
+-    dwTemp = 0;
+    dwNumSyms = 0;
+     for (int32_t i = 0; i < pSegment->m_nReferred_to_segment_count; ++i) {
+       CJBig2_Segment* pSeg =
+           FindSegmentByNumber(pSegment->m_Referred_to_segment_numbers[i]);
+       if (pSeg->m_cFlags.s.type == 0) {
+         const CJBig2_SymbolDict& dict = *pSeg->m_SymbolDict;
+-        for (size_t j = 0; j < dict.NumImages(); ++j)
+-          SBSYMS.get()[dwTemp + j] = dict.GetImage(j);
+-        dwTemp += dict.NumImages();
+        for (uint32_t j = 0; j < dict.NumImages(); ++j) {
+          uint32_t dwIndex = (dwNumSyms + j).ValueOrDie();
+          SBSYMS.get()[dwIndex] = dict.GetImage(j);
+        }
+        dwNumSyms += dict.NumImages();
+       }
+     }
+     pTRD->SBSYMS = SBSYMS.get();