sanitize values in fz_open_predict

This fixes a NULL pointer dereference in
2192b04848b2d8210d1a33e3ddeb2742_asan_heap-oob_a5a57d_2745_2844.pdf

Also, replace MAXC with FZ_MAX_COLORS.

1 files changed, 8 insertions, 3 deletions

diff --git a/source/fitz/filter-predict.c b/source/fitz/filter-predict.c
index 6bc75c8e..e8f885a7 100644
--- a/source/fitz/filter-predict.c
+++ b/source/fitz/filter-predict.c
@@ -2,8 +2,6 @@
 
 /* TODO: check if this works with 16bpp images */
 
-enum { MAXC = 32 };
-
 typedef struct fz_predict_s fz_predict;
 
 struct fz_predict_s
@@ -61,7 +59,7 @@ static inline int paeth(int a, int b, int c)
 static void
 fz_predict_tiff(fz_predict *state, unsigned char *out, unsigned char *in, int len)
 {
-	int left[MAXC];
+	int left[FZ_MAX_COLORS];
 	int i, k;
 	const int mask = (1 << state->bpc)-1;
 
@@ -217,6 +215,13 @@ fz_open_predict(fz_stream *chain, int predictor, int columns, int colors, int bp
 
 	fz_try(ctx)
 	{
+		if (bpc != 1 && bpc != 2 && bpc != 4 && bpc != 8 && bpc != 16)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid number of bits per component: %d", bpc);
+		if (colors > FZ_MAX_COLORS)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "too many color components (%d > %d)", colors, FZ_MAX_COLORS);
+		if (columns >= INT_MAX / (bpc * colors))
+			fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns);
+
 		state = fz_malloc_struct(ctx, fz_predict);
 		state->in = NULL;
 		state->out = NULL;