summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhong_zhang <hong_zhang@foxitsoftware.com>2016-08-12 15:15:56 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-12 15:15:56 -0700
commit8374fe4a11a513b23297e29d38c376d8cf36e8bf (patch)
tree84088626be0245660387abc76c6c9987ee4e15d3
parentc6833c2366e97b4779641464bf1d14d4115cc51d (diff)
downloadpdfium-8374fe4a11a513b23297e29d38c376d8cf36e8bf.tar.xz
fix 617135
to fix bug 617135 617135 described an exploit against pdfium using a malformed gif. This fix introduced a couple edge case handling lines to address the OOB issue. BUG= 617135 Review-Url: https://codereview.chromium.org/2230683002
-rw-r--r--core/fxcodec/lgif/fx_gif.cpp21
-rw-r--r--core/fxcodec/lgif/fx_gif.h2
2 files changed, 15 insertions, 8 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index d6db28b427..b94445ccf3 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -925,10 +925,7 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) {
gif_image_ptr->image_row_buf + gif_ptr->img_row_offset,
gif_ptr->img_row_avail_size);
if (ret == 0) {
- FX_Free(gif_image_ptr->image_row_buf);
- gif_image_ptr->image_row_buf = nullptr;
- gif_save_decoding_status(gif_ptr, GIF_D_STATUS_TAIL);
- gif_error(gif_ptr, "Decode Image Data Error");
+ gif_decoding_failure_at_tail_cleanup(gif_ptr, gif_image_ptr);
return 0;
}
while (ret != 0) {
@@ -970,6 +967,10 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) {
if (gif_image_ptr->image_row_num >=
(int32_t)gif_image_ptr->image_info_ptr->height) {
gif_ptr->img_pass_num++;
+ if (gif_ptr->img_pass_num == FX_ArraySize(s_gif_interlace_step)) {
+ gif_decoding_failure_at_tail_cleanup(gif_ptr, gif_image_ptr);
+ return 0;
+ }
gif_image_ptr->image_row_num =
s_gif_interlace_step[gif_ptr->img_pass_num] / 2;
}
@@ -984,10 +985,7 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) {
gif_ptr->img_row_avail_size);
}
if (ret == 0) {
- FX_Free(gif_image_ptr->image_row_buf);
- gif_image_ptr->image_row_buf = nullptr;
- gif_save_decoding_status(gif_ptr, GIF_D_STATUS_TAIL);
- gif_error(gif_ptr, "Decode Image Data Error");
+ gif_decoding_failure_at_tail_cleanup(gif_ptr, gif_image_ptr);
return 0;
}
}
@@ -997,6 +995,13 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) {
gif_error(gif_ptr, "Decode Image Data Error");
return 0;
}
+void gif_decoding_failure_at_tail_cleanup(gif_decompress_struct_p gif_ptr,
+ GifImage* gif_image_ptr) {
+ FX_Free(gif_image_ptr->image_row_buf);
+ gif_image_ptr->image_row_buf = nullptr;
+ gif_save_decoding_status(gif_ptr, GIF_D_STATUS_TAIL);
+ gif_error(gif_ptr, "Decode Image Data Error");
+}
void gif_save_decoding_status(gif_decompress_struct_p gif_ptr, int32_t status) {
gif_ptr->decode_status = status;
gif_ptr->next_in += gif_ptr->skip_size;
diff --git a/core/fxcodec/lgif/fx_gif.h b/core/fxcodec/lgif/fx_gif.h
index b7157df429..c669e9851e 100644
--- a/core/fxcodec/lgif/fx_gif.h
+++ b/core/fxcodec/lgif/fx_gif.h
@@ -291,6 +291,8 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num);
uint8_t* gif_read_data(gif_decompress_struct_p gif_ptr,
uint8_t** des_buf_pp,
uint32_t data_size);
+void gif_decoding_failure_at_tail_cleanup(gif_decompress_struct_p gif_ptr,
+ GifImage* gif_image_ptr);
void gif_save_decoding_status(gif_decompress_struct_p gif_ptr, int32_t status);
void gif_input_buffer(gif_decompress_struct_p gif_ptr,
uint8_t* src_buf,