diff options
author | Nicolas Pena <npm@chromium.org> | 2017-02-14 11:56:37 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-02-14 18:28:22 +0000 |
commit | 7d4ccd7b5dd9ebb14e97ad35fb3bc093225b939a (patch) | |
tree | 9641facfa872657211574ed6ccd6dad0645fff53 | |
parent | 940f559b985d4a742c21b21cb077a232e44dd289 (diff) | |
download | pdfium-7d4ccd7b5dd9ebb14e97ad35fb3bc093225b939a.tar.xz |
Prevent heap-buffer-overflow in CCodec_ProgressiveDecoder
In CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback, m_pSrcPalette
can be allocated size pal_num. So if pal_index >= pal_num, then bail out.
BUG=691278
Change-Id: Ib0157cf51cbf52ecd5d60b027e5fc32898a906ed
Reviewed-on: https://pdfium-review.googlesource.com/2699
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
-rw-r--r-- | core/fxcodec/codec/fx_codec_progress.cpp | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/core/fxcodec/codec/fx_codec_progress.cpp b/core/fxcodec/codec/fx_codec_progress.cpp index 386b66a7e6..4a1719f0f7 100644 --- a/core/fxcodec/codec/fx_codec_progress.cpp +++ b/core/fxcodec/codec/fx_codec_progress.cpp @@ -663,11 +663,10 @@ bool CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback( pal_num = pCodec->m_GifPltNumber; pPalette = pCodec->m_pGifPalette; } - if (!pCodec->m_pSrcPalette) { + if (!pCodec->m_pSrcPalette) pCodec->m_pSrcPalette = FX_Alloc(FX_ARGB, pal_num); - } else if (pal_num > pCodec->m_SrcPaletteNumber) { + else if (pal_num > pCodec->m_SrcPaletteNumber) pCodec->m_pSrcPalette = FX_Realloc(FX_ARGB, pCodec->m_pSrcPalette, pal_num); - } if (!pCodec->m_pSrcPalette) return false; @@ -682,15 +681,16 @@ bool CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback( pCodec->m_SrcPassNumber = interlace ? 4 : 1; int32_t pal_index = pCodec->m_GifBgIndex; CFX_DIBitmap* pDevice = pCodec->m_pDeviceBitmap; - if (trans_index >= pal_num) { + if (trans_index >= pal_num) trans_index = -1; - } if (trans_index != -1) { pCodec->m_pSrcPalette[trans_index] &= 0x00ffffff; - if (pDevice->HasAlpha()) { + if (pDevice->HasAlpha()) pal_index = trans_index; - } } + if (pal_index >= pal_num) + return false; + int startX = pCodec->m_startX; int startY = pCodec->m_startY; int sizeX = pCodec->m_sizeX; |