summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-01-09 13:39:05 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-01-09 20:41:20 +0000
commitf04b7f1c438bf9f9e41a1925c6bcaa378c082ee1 (patch)
tree07161be4e5e367f6a623d8b187fc416269dc338a
parentc589fdc5e4e996dd6d2502f7267414c471e5fd6d (diff)
downloadpdfium-f04b7f1c438bf9f9e41a1925c6bcaa378c082ee1.tar.xz
Check validity of width and height in CCodec_TiffContext::LoadFrameInfo
We are using pdfium::base::checked_cast to get the width and height, but we may overflow and abort. Therefore, we should instead early return if the obtained width and height are not valid int32_t's. BUG=655056 Change-Id: Ic0c6b88a16dc3d547fe82736bb14ed3122cd356a Reviewed-on: https://pdfium-review.googlesource.com/2160 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r--core/fxcodec/codec/fx_codec_tiff.cpp9
1 files changed, 7 insertions, 2 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index be9c7d447f..cf38d71b37 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -267,8 +267,13 @@ bool CCodec_TiffContext::LoadFrameInfo(int32_t frame,
Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MAKE, pAttribute);
Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MODEL, pAttribute);
}
- *width = pdfium::base::checked_cast<int32_t>(tif_width);
- *height = pdfium::base::checked_cast<int32_t>(tif_height);
+ pdfium::base::CheckedNumeric<int32_t> checked_width = tif_width;
+ pdfium::base::CheckedNumeric<int32_t> checked_height = tif_height;
+ if (!checked_width.IsValid() || !checked_height.IsValid())
+ return false;
+
+ *width = checked_width.ValueOrDie();
+ *height = checked_height.ValueOrDie();
*comps = tif_comps;
*bpc = tif_bpc;
if (tif_rps > tif_height) {