diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-07-13 13:14:55 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-07-13 13:14:55 -0700 |
commit | d14dd02bc9d5c521b88c9f1175c3a11cacf914b1 (patch) | |
tree | 4fab5f1b63d2249a48ccd086639d60a05e8b0ac9 | |
parent | ce95f50e0ed551f6280f163a05b58031a3d011a9 (diff) | |
download | pdfium-d14dd02bc9d5c521b88c9f1175c3a11cacf914b1.tar.xz |
Merge to M44: Redo range check in CPDF_SampledFunc::v_Call().
BUG=471990
TBR=thestig@chromium.org
Review URL: https://codereview.chromium.org/1230663004.
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 5 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp | 60 |
2 files changed, 36 insertions, 29 deletions
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index b6bf7950ff..8623ef2d32 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -954,11 +954,14 @@ FX_BOOL CPDF_SeparationCS::v_Load(CPDF_Document* pDoc, CPDF_Array* pArray) return FALSE; } m_pAltCS = Load(pDoc, pAltCS); + if (!m_pAltCS) { + return FALSE; + } CPDF_Object* pFuncObj = pArray->GetElementValue(3); if (pFuncObj && pFuncObj->GetType() != PDFOBJ_NAME) { m_pFunc = CPDF_Function::Load(pFuncObj); } - if (m_pFunc && m_pAltCS && m_pFunc->CountOutputs() < m_pAltCS->CountComponents()) { + if (m_pFunc && m_pFunc->CountOutputs() < m_pAltCS->CountComponents()) { delete m_pFunc; m_pFunc = NULL; } diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp index bd1cdb6434..ca93e249d6 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp @@ -451,7 +451,8 @@ public: virtual FX_BOOL v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const; SampleEncodeInfo* m_pEncodeInfo; SampleDecodeInfo* m_pDecodeInfo; - FX_DWORD m_nBitsPerSample, m_SampleMax; + FX_DWORD m_nBitsPerSample; + FX_DWORD m_SampleMax; CPDF_StreamAcc* m_pSampleStream; }; CPDF_SampledFunc::CPDF_SampledFunc() @@ -483,21 +484,20 @@ FX_BOOL CPDF_SampledFunc::v_Init(CPDF_Object* pObj) CPDF_Array* pEncode = pDict->GetArray(FX_BSTRC("Encode")); CPDF_Array* pDecode = pDict->GetArray(FX_BSTRC("Decode")); m_nBitsPerSample = pDict->GetInteger(FX_BSTRC("BitsPerSample")); + if (m_nBitsPerSample > 32) { + return FALSE; + } m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample); m_pSampleStream = new CPDF_StreamAcc; m_pSampleStream->LoadAllData(pStream, FALSE); m_pEncodeInfo = FX_Alloc(SampleEncodeInfo, m_nInputs); - int i; - FX_DWORD nTotalSamples = 1; - for (i = 0; i < m_nInputs; i ++) { + FX_SAFE_DWORD nTotalSampleBits = 1; + for (int i = 0; i < m_nInputs; i ++) { m_pEncodeInfo[i].sizes = pSize ? pSize->GetInteger(i) : 0; if (!pSize && i == 0) { m_pEncodeInfo[i].sizes = pDict->GetInteger(FX_BSTRC("Size")); } - if (nTotalSamples > 0 && (FX_UINT32)(m_pEncodeInfo[i].sizes) > UINT_MAX / nTotalSamples) { - return FALSE; - } - nTotalSamples *= m_pEncodeInfo[i].sizes; + nTotalSampleBits *= m_pEncodeInfo[i].sizes; if (pEncode) { m_pEncodeInfo[i].encode_min = pEncode->GetFloat(i * 2); m_pEncodeInfo[i].encode_max = pEncode->GetFloat(i * 2 + 1); @@ -510,19 +510,18 @@ FX_BOOL CPDF_SampledFunc::v_Init(CPDF_Object* pObj) } } } - if (nTotalSamples > 0 && m_nBitsPerSample > UINT_MAX / nTotalSamples) { - return FALSE; - } - nTotalSamples *= m_nBitsPerSample; - if (nTotalSamples > 0 && ((FX_UINT32)m_nOutputs) > UINT_MAX / nTotalSamples) { - return FALSE; - } - nTotalSamples *= m_nOutputs; - if (nTotalSamples == 0 || m_pSampleStream->GetSize() * 8 < nTotalSamples) { + nTotalSampleBits *= m_nBitsPerSample; + nTotalSampleBits *= m_nOutputs; + FX_SAFE_DWORD nTotalSampleBytes = nTotalSampleBits; + nTotalSampleBytes += 7; + nTotalSampleBytes /= 8; + if (!nTotalSampleBytes.IsValid() || + nTotalSampleBytes.ValueOrDie() == 0 || + nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize()) { return FALSE; } m_pDecodeInfo = FX_Alloc(SampleDecodeInfo, m_nOutputs); - for (i = 0; i < m_nOutputs; i ++) { + for (int i = 0; i < m_nOutputs; i ++) { if (pDecode) { m_pDecodeInfo[i].decode_min = pDecode->GetFloat(2 * i); m_pDecodeInfo[i].decode_max = pDecode->GetFloat(2 * i + 1); @@ -557,20 +556,23 @@ FX_BOOL CPDF_SampledFunc::v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const } pos += index[i] * blocksize[i]; } + FX_SAFE_INT32 bits_to_output = m_nOutputs; + bits_to_output *= m_nBitsPerSample; + if (!bits_to_output.IsValid()) { + return FALSE; + } FX_SAFE_INT32 bitpos = pos; - bitpos *= m_nBitsPerSample; - bitpos *= m_nOutputs; + bitpos *= bits_to_output.ValueOrDie(); if (!bitpos.IsValid()) { return FALSE; } - FX_LPCBYTE pSampleData = m_pSampleStream->GetData(); - if (pSampleData == NULL) { + FX_SAFE_INT32 range_check = bitpos; + range_check += bits_to_output.ValueOrDie(); + if (!range_check.IsValid()) { return FALSE; } - FX_SAFE_INT32 bitpos1 = m_nOutputs - 1 > 0 ? m_nOutputs - 1 : 0; - bitpos1 *= m_nBitsPerSample; - bitpos1 += bitpos.ValueOrDie(); - if (!bitpos1.IsValid()) { + const uint8_t* pSampleData = m_pSampleStream->GetData(); + if (!pSampleData) { return FALSE; } for (int j = 0; j < m_nOutputs; j ++) { @@ -871,14 +873,16 @@ FX_BOOL CPDF_Function::Init(CPDF_Object* pObj) } } FX_DWORD old_outputs = m_nOutputs; - FX_BOOL ret = v_Init(pObj); + if (!v_Init(pObj)) { + return FALSE; + } if (m_pRanges && m_nOutputs > (int)old_outputs) { m_pRanges = FX_Realloc(FX_FLOAT, m_pRanges, m_nOutputs * 2); if (m_pRanges) { FXSYS_memset32(m_pRanges + (old_outputs * 2), 0, sizeof(FX_FLOAT) * (m_nOutputs - old_outputs) * 2); } } - return ret; + return TRUE; } FX_BOOL CPDF_Function::Call(FX_FLOAT* inputs, int ninputs, FX_FLOAT* results, int& nresults) const { |