diff options
author | Nicolas Pena <npm@chromium.org> | 2017-01-09 13:39:05 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-09 20:41:20 +0000 |
commit | f04b7f1c438bf9f9e41a1925c6bcaa378c082ee1 (patch) | |
tree | 07161be4e5e367f6a623d8b187fc416269dc338a | |
parent | c589fdc5e4e996dd6d2502f7267414c471e5fd6d (diff) | |
download | pdfium-f04b7f1c438bf9f9e41a1925c6bcaa378c082ee1.tar.xz |
Check validity of width and height in CCodec_TiffContext::LoadFrameInfo
We are using pdfium::base::checked_cast to get the width and height,
but we may overflow and abort. Therefore, we should instead early
return if the obtained width and height are not valid int32_t's.
BUG=655056
Change-Id: Ic0c6b88a16dc3d547fe82736bb14ed3122cd356a
Reviewed-on: https://pdfium-review.googlesource.com/2160
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r-- | core/fxcodec/codec/fx_codec_tiff.cpp | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp index be9c7d447f..cf38d71b37 100644 --- a/core/fxcodec/codec/fx_codec_tiff.cpp +++ b/core/fxcodec/codec/fx_codec_tiff.cpp @@ -267,8 +267,13 @@ bool CCodec_TiffContext::LoadFrameInfo(int32_t frame, Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MAKE, pAttribute); Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MODEL, pAttribute); } - *width = pdfium::base::checked_cast<int32_t>(tif_width); - *height = pdfium::base::checked_cast<int32_t>(tif_height); + pdfium::base::CheckedNumeric<int32_t> checked_width = tif_width; + pdfium::base::CheckedNumeric<int32_t> checked_height = tif_height; + if (!checked_width.IsValid() || !checked_height.IsValid()) + return false; + + *width = checked_width.ValueOrDie(); + *height = checked_height.ValueOrDie(); *comps = tif_comps; *bpc = tif_bpc; if (tif_rps > tif_height) { |