From be1a6f294fa01016282a76d2ad8530627e434342 Mon Sep 17 00:00:00 2001
From: Jonas Jenwald <jonas.jenwald@gmail.com>
Date: Fri, 17 Mar 2017 10:29:08 +0100
Subject: [PATCH] Try to recover when encountering JPEG markers with too short
 marker lengths (issue 8169)

The issue with the JPEG image in question, is that the COM (Comment) marker has an incorrect length entry.

Fixes 8169.
---
 src/core/jpg.js              | 23 ++++++++++++++++++++++-
 test/pdfs/issue8169.pdf.link |  1 +
 test/test_manifest.json      |  7 +++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 test/pdfs/issue8169.pdf.link

diff --git a/src/core/jpg.js b/src/core/jpg.js
index ac5397ac5b70b..9ce9785155c51 100644
--- a/src/core/jpg.js
+++ b/src/core/jpg.js
@@ -26,6 +26,7 @@
   }
 }(this, function (exports, sharedUtil) {
 
+var warn = sharedUtil.warn;
 var error = sharedUtil.error;
 
 /**
@@ -604,8 +605,28 @@ var JpegImage = (function JpegImageClosure() {
       }
 
       function readDataBlock() {
+        function isValidMarkerAt(pos) {
+          if (pos < data.length - 1) {
+            return (data[pos] === 0xFF &&
+                    data[pos + 1] >= 0xC0 && data[pos + 1] <= 0xFE);
+          }
+          return true;
+        }
+
         var length = readUint16();
-        var array = data.subarray(offset, offset + length - 2);
+        var endOffset = offset + length - 2;
+
+        if (!isValidMarkerAt(endOffset)) {
+          warn('readDataBlock - incorrect length, next marker is: ' +
+               (data[endOffset] << 8 | data[endOffset + 1]).toString('16'));
+          var pos = offset;
+          while (!isValidMarkerAt(pos)) {
+            pos++;
+          }
+          endOffset = pos;
+        }
+
+        var array = data.subarray(offset, endOffset);
         offset += array.length;
         return array;
       }
diff --git a/test/pdfs/issue8169.pdf.link b/test/pdfs/issue8169.pdf.link
new file mode 100644
index 0000000000000..da564680cb473
--- /dev/null
+++ b/test/pdfs/issue8169.pdf.link
@@ -0,0 +1 @@
+http://web.archive.org/save/_embed/http://210.243.166.143/prob1.pdf
diff --git a/test/test_manifest.json b/test/test_manifest.json
index 95ba6363e8298..8904e6ce5da63 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -733,6 +733,13 @@
        "link": false,
        "type": "eq"
     },
+    {  "id": "issue8169",
+       "file": "pdfs/issue8169.pdf",
+       "md5": "62fd6479f9e1c8c5ce8cba6b1781d0a5",
+       "rounds": 1,
+       "link": true,
+       "type": "eq"
+    },
     {  "id": "txt2pdf",
        "file": "pdfs/txt2pdf.pdf",
        "md5": "02cefa0f5e8d96313bb05163b2f88c8c",