diff options
author | hong_zhang <hong_zhang@foxitsoftware.com> | 2016-08-12 15:15:56 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-12 15:15:56 -0700 |
commit | 8374fe4a11a513b23297e29d38c376d8cf36e8bf (patch) | |
tree | 84088626be0245660387abc76c6c9987ee4e15d3 | |
parent | c6833c2366e97b4779641464bf1d14d4115cc51d (diff) | |
download | pdfium-8374fe4a11a513b23297e29d38c376d8cf36e8bf.tar.xz |
fix 617135
to fix bug 617135
617135 described an exploit against pdfium using a malformed gif.
This fix introduced a couple edge case handling lines to address
the OOB issue.
BUG= 617135
Review-Url: https://codereview.chromium.org/2230683002
-rw-r--r-- | core/fxcodec/lgif/fx_gif.cpp | 21 | ||||
-rw-r--r-- | core/fxcodec/lgif/fx_gif.h | 2 |
2 files changed, 15 insertions, 8 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index d6db28b427..b94445ccf3 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -925,10 +925,7 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { gif_image_ptr->image_row_buf + gif_ptr->img_row_offset, gif_ptr->img_row_avail_size); if (ret == 0) { - FX_Free(gif_image_ptr->image_row_buf); - gif_image_ptr->image_row_buf = nullptr; - gif_save_decoding_status(gif_ptr, GIF_D_STATUS_TAIL); - gif_error(gif_ptr, "Decode Image Data Error"); + gif_decoding_failure_at_tail_cleanup(gif_ptr, gif_image_ptr); return 0; } while (ret != 0) { @@ -970,6 +967,10 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { if (gif_image_ptr->image_row_num >= (int32_t)gif_image_ptr->image_info_ptr->height) { gif_ptr->img_pass_num++; + if (gif_ptr->img_pass_num == FX_ArraySize(s_gif_interlace_step)) { + gif_decoding_failure_at_tail_cleanup(gif_ptr, gif_image_ptr); + return 0; + } gif_image_ptr->image_row_num = s_gif_interlace_step[gif_ptr->img_pass_num] / 2; } @@ -984,10 +985,7 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { gif_ptr->img_row_avail_size); } if (ret == 0) { - FX_Free(gif_image_ptr->image_row_buf); - gif_image_ptr->image_row_buf = nullptr; - gif_save_decoding_status(gif_ptr, GIF_D_STATUS_TAIL); - gif_error(gif_ptr, "Decode Image Data Error"); + gif_decoding_failure_at_tail_cleanup(gif_ptr, gif_image_ptr); return 0; } } @@ -997,6 +995,13 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { gif_error(gif_ptr, "Decode Image Data Error"); return 0; } +void gif_decoding_failure_at_tail_cleanup(gif_decompress_struct_p gif_ptr, + GifImage* gif_image_ptr) { + FX_Free(gif_image_ptr->image_row_buf); + gif_image_ptr->image_row_buf = nullptr; + gif_save_decoding_status(gif_ptr, GIF_D_STATUS_TAIL); + gif_error(gif_ptr, "Decode Image Data Error"); +} void gif_save_decoding_status(gif_decompress_struct_p gif_ptr, int32_t status) { gif_ptr->decode_status = status; gif_ptr->next_in += gif_ptr->skip_size; diff --git a/core/fxcodec/lgif/fx_gif.h b/core/fxcodec/lgif/fx_gif.h index b7157df429..c669e9851e 100644 --- a/core/fxcodec/lgif/fx_gif.h +++ b/core/fxcodec/lgif/fx_gif.h @@ -291,6 +291,8 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num); uint8_t* gif_read_data(gif_decompress_struct_p gif_ptr, uint8_t** des_buf_pp, uint32_t data_size); +void gif_decoding_failure_at_tail_cleanup(gif_decompress_struct_p gif_ptr, + GifImage* gif_image_ptr); void gif_save_decoding_status(gif_decompress_struct_p gif_ptr, int32_t status); void gif_input_buffer(gif_decompress_struct_p gif_ptr, uint8_t* src_buf, |