diff options
| author | ochang <ochang@chromium.org> | 2016-04-15 13:52:00 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-04-15 13:52:00 -0700 |
| commit | 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41 (patch) | |
| tree | 8be0c41efc1bce888ee8429e9adf4f13f379ba64 | |
| parent | 018935c9304bebf13fbad20b124d775ccae87fae (diff) | |
| download | pdfium-7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41.tar.xz | |
Prevent a potential OOB read in TranslateImageLine.
Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and
its CPDF_ColorSpace, from code attempting to recover from a failed decoder
initialisation in CPDF_DIBSource::CreateDecoder.
BUG=chromium:603518
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1892143003
| -rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | 11 | ||||
| -rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp | 10 | ||||
| -rw-r--r-- | testing/resources/bug_603518.pdf | bin | 0 -> 7328 bytes |
3 files changed, 16 insertions, 5 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp index 951d38359f..44ac29f9e1 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp @@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() { bpc, bTransform)) { if (m_nComponents != static_cast<uint32_t>(comps)) { FX_Free(m_pCompData); + m_pCompData = nullptr; m_nComponents = static_cast<uint32_t>(comps); - if (m_Family == PDFCS_LAB && m_nComponents != 3) { - m_pCompData = nullptr; + if (m_pColorSpace && + m_pColorSpace->CountComponents() != m_nComponents) + return 0; + if (m_Family == PDFCS_LAB && m_nComponents != 3) return 0; - } m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey); - if (!m_pCompData) { + if (!m_pCompData) return 0; - } } m_bpc = bpc; m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder( diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp index 427abb8e37..5c6a8c513f 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp @@ -27,3 +27,13 @@ TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_557223) { FPDFBitmap_Destroy(bitmap); UnloadPage(page); } + +TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_603518) { + // Should not crash + EXPECT_TRUE(OpenDocument("bug_603518.pdf")); + FPDF_PAGE page = LoadPage(0); + EXPECT_NE(nullptr, page); + FPDF_BITMAP bitmap = RenderPage(page); + FPDFBitmap_Destroy(bitmap); + UnloadPage(page); +} diff --git a/testing/resources/bug_603518.pdf b/testing/resources/bug_603518.pdf Binary files differnew file mode 100644 index 0000000000..1af6005e6c --- /dev/null +++ b/testing/resources/bug_603518.pdf |