diff options
| author | foxit <jun_fang@foxitsoftware.com> | 2014-06-20 16:48:43 -0700 |
|---|---|---|
| committer | foxit <jun_fang@foxitsoftware.com> | 2014-06-20 16:48:43 -0700 |
| commit | 3e4b1bc1ac4eb8372a90f95edd69131e54240976 (patch) | |
| tree | 3e73c6a08911fec6621a43907713542c2d808ed2 | |
| parent | d9713f05fdcecab8428d39034c6b84cd0bbd2920 (diff) | |
| download | pdfium-3e4b1bc1ac4eb8372a90f95edd69131e54240976.tar.xz | |
Stack-buffer-overflow in IccLib_Translate
BUG=382240
R=palmer@chromium.org
Review URL: https://codereview.chromium.org/332143002
| -rw-r--r-- | core/include/fxcodec/fx_codec.h | 1 | ||||
| -rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 1 | ||||
| -rw-r--r-- | core/src/fxcodec/codec/codec_int.h | 2 | ||||
| -rw-r--r-- | core/src/fxcodec/codec/fx_codec_icc.cpp | 12 |
4 files changed, 10 insertions, 6 deletions
diff --git a/core/include/fxcodec/fx_codec.h b/core/include/fxcodec/fx_codec.h index e215bb1d79..ac3f71e7bb 100644 --- a/core/include/fxcodec/fx_codec.h +++ b/core/include/fxcodec/fx_codec.h @@ -281,6 +281,7 @@ public: virtual void Translate(FX_LPVOID pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) = 0; virtual void TranslateScanline(FX_LPVOID pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels) = 0; + virtual void SetComponents(FX_DWORD nComponents) = 0; }; void AdobeCMYK_to_sRGB(FX_FLOAT c, FX_FLOAT m, FX_FLOAT y, FX_FLOAT k, FX_FLOAT& R, FX_FLOAT& G, FX_FLOAT& B); void AdobeCMYK_to_sRGB1(FX_BYTE c, FX_BYTE m, FX_BYTE y, FX_BYTE k, FX_BYTE& R, FX_BYTE& G, FX_BYTE& B); diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index 8c274b2607..c13395c7ce 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -642,6 +642,7 @@ FX_BOOL CPDF_ICCBasedCS::GetRGB(FX_FLOAT* pBuf, FX_FLOAT& R, FX_FLOAT& G, FX_FLO return TRUE; } FX_FLOAT rgb[3]; + pIccModule->SetComponents(m_nComponents); pIccModule->Translate(m_pProfile->m_pTransform, pBuf, rgb); R = rgb[0]; G = rgb[1]; diff --git a/core/src/fxcodec/codec/codec_int.h b/core/src/fxcodec/codec/codec_int.h index 638d96db85..47f2c8e1fe 100644 --- a/core/src/fxcodec/codec/codec_int.h +++ b/core/src/fxcodec/codec/codec_int.h @@ -172,10 +172,12 @@ public: virtual void DestroyTransform(FX_LPVOID pTransform); virtual void Translate(FX_LPVOID pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues); virtual void TranslateScanline(FX_LPVOID pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels); + virtual void SetComponents(FX_DWORD nComponents) {m_nComponents = nComponents;} virtual ~CCodec_IccModule(); protected: CFX_MapByteStringToPtr m_MapTranform; CFX_MapByteStringToPtr m_MapProfile; + FX_DWORD m_nComponents; typedef enum { Icc_CLASS_INPUT = 0, Icc_CLASS_OUTPUT, diff --git a/core/src/fxcodec/codec/fx_codec_icc.cpp b/core/src/fxcodec/codec/fx_codec_icc.cpp index 22659ba9ff..b10d9c4868 100644 --- a/core/src/fxcodec/codec/fx_codec_icc.cpp +++ b/core/src/fxcodec/codec/fx_codec_icc.cpp @@ -147,7 +147,7 @@ void IccLib_DestroyTransform(void* pTransform) cmsDeleteTransform(((CLcmsCmm*)pTransform)->m_hTransform); delete (CLcmsCmm*)pTransform; } -void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) +void IccLib_Translate(void* pTransform, FX_DWORD nSrcComponents, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) { if (pTransform == NULL) { return; @@ -155,16 +155,16 @@ void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestVal CLcmsCmm* p = (CLcmsCmm*)pTransform; FX_BYTE output[4]; if (p->m_bLab) { - CFX_FixedBufGrow<double, 16> inputs(p->m_nSrcComponents); + CFX_FixedBufGrow<double, 16> inputs(nSrcComponents); double* input = inputs; - for (int i = 0; i < p->m_nSrcComponents; i ++) { + for (FX_DWORD i = 0; i < nSrcComponents; i ++) { input[i] = pSrcValues[i]; } cmsDoTransform(p->m_hTransform, input, output, 1); } else { - CFX_FixedBufGrow<FX_BYTE, 16> inputs(p->m_nSrcComponents); + CFX_FixedBufGrow<FX_BYTE, 16> inputs(nSrcComponents); FX_BYTE* input = inputs; - for (int i = 0; i < p->m_nSrcComponents; i ++) { + for (FX_DWORD i = 0; i < nSrcComponents; i ++) { if (pSrcValues[i] > 1.0f) { input[i] = 255; } else if (pSrcValues[i] < 0) { @@ -534,7 +534,7 @@ void CCodec_IccModule::DestroyTransform(void* pTransform) } void CCodec_IccModule::Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) { - IccLib_Translate(pTransform, pSrcValues, pDestValues); + IccLib_Translate(pTransform, m_nComponents, pSrcValues, pDestValues); } void CCodec_IccModule::TranslateScanline(void* pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels) { |