diff options
author | Lei Zhang <thestig@chromium.org> | 2017-11-03 18:37:35 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-11-03 18:37:35 +0000 |
commit | ff63663ce08c31efa416bc797c2d3ef96759f780 (patch) | |
tree | 3df06355d62efac59b2123d2b4bb5abd7c536022 | |
parent | d7999f6a794207842544214d015af6f06322157c (diff) | |
download | pdfium-ff63663ce08c31efa416bc797c2d3ef96759f780.tar.xz |
The component count in CPDF_IndexedCS should be unsigned.
Since the source of the component count is unsigned. Adjust related
variables to also be unsigned. In CPDF_IndexedCS::GetRGB(), switch
integer overflow code to use FX_SAFE_SIZE_T, and write to the out params
correctly on failure.
Change-Id: If7405b4c5e9022ba1992fff2be2bcc1a7826adf4
Reviewed-on: https://pdfium-review.googlesource.com/17770
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
-rw-r--r-- | core/fpdfapi/page/cpdf_colorspace.cpp | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/core/fpdfapi/page/cpdf_colorspace.cpp b/core/fpdfapi/page/cpdf_colorspace.cpp index dd13bf5049..ec45160ef8 100644 --- a/core/fpdfapi/page/cpdf_colorspace.cpp +++ b/core/fpdfapi/page/cpdf_colorspace.cpp @@ -197,7 +197,7 @@ class CPDF_IndexedCS : public CPDF_ColorSpace { CPDF_ColorSpace* m_pBaseCS; UnownedPtr<CPDF_CountedColorSpace> m_pCountedBaseCS; - int m_nBaseComponents; + uint32_t m_nBaseComponents; int m_MaxIndex; ByteString m_Table; float* m_pCompMinMax; @@ -1013,7 +1013,7 @@ bool CPDF_IndexedCS::v_Load(CPDF_Document* pDoc, m_nBaseComponents = m_pBaseCS->CountComponents(); m_pCompMinMax = FX_Alloc2D(float, m_nBaseComponents, 2); float defvalue; - for (int i = 0; i < m_nBaseComponents; i++) { + for (uint32_t i = 0; i < m_nBaseComponents; i++) { m_pBaseCS->GetDefaultValue(i, &defvalue, &m_pCompMinMax[i * 2], &m_pCompMinMax[i * 2 + 1]); m_pCompMinMax[i * 2 + 1] -= m_pCompMinMax[i * 2]; @@ -1035,21 +1035,25 @@ bool CPDF_IndexedCS::v_Load(CPDF_Document* pDoc, } bool CPDF_IndexedCS::GetRGB(float* pBuf, float* R, float* G, float* B) const { - int index = static_cast<int32_t>(*pBuf); + int32_t index = static_cast<int32_t>(*pBuf); if (index < 0 || index > m_MaxIndex) return false; if (m_nBaseComponents) { - if (index == INT_MAX || (index + 1) > INT_MAX / m_nBaseComponents || - (index + 1) * m_nBaseComponents > (int)m_Table.GetLength()) { - R = G = B = 0; + FX_SAFE_SIZE_T length = index; + length += 1; + length *= m_nBaseComponents; + if (!length.IsValid() || length.ValueOrDie() > m_Table.GetLength()) { + *R = 0; + *G = 0; + *B = 0; return false; } } CFX_FixedBufGrow<float, 16> Comps(m_nBaseComponents); float* comps = Comps; const uint8_t* pTable = m_Table.raw_str(); - for (int i = 0; i < m_nBaseComponents; i++) { + for (uint32_t i = 0; i < m_nBaseComponents; i++) { comps[i] = m_pCompMinMax[i * 2] + m_pCompMinMax[i * 2 + 1] * pTable[index * m_nBaseComponents + i] / 255; |