Let CPDF_MeshStream::ReadVertexRow return a vector

In this CL, CPDF_MeshStream::ReadVertexRow returns a vector. The vector
size is not allocated in advance to prevent OOM attacks, since the size
is given as an input to the PDF.

Bug: chromium:735248
Change-Id: I3e2b020896f24715af5dfd9aa18768e6d64d6f76
Reviewed-on: https://pdfium-review.googlesource.com/7950
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

3 files changed, 24 insertions, 23 deletions

diff --git a/core/fpdfapi/page/cpdf_meshstream.cpp b/core/fpdfapi/page/cpdf_meshstream.cpp
index 7a6228a25b..8588734d95 100644
--- a/core/fpdfapi/page/cpdf_meshstream.cpp
+++ b/core/fpdfapi/page/cpdf_meshstream.cpp
@@ -242,19 +242,22 @@ bool CPDF_MeshStream::ReadVertex(const CFX_Matrix& pObject2Bitmap,
   return true;
 }
 
-bool CPDF_MeshStream::ReadVertexRow(const CFX_Matrix& pObject2Bitmap,
-                                    int count,
-                                    CPDF_MeshVertex* vertex) {
-  for (int i = 0; i < count; i++) {
+std::vector<CPDF_MeshVertex> CPDF_MeshStream::ReadVertexRow(
+    const CFX_Matrix& pObject2Bitmap,
+    int count) {
+  std::vector<CPDF_MeshVertex> vertices;
+  for (int i = 0; i < count; ++i) {
     if (m_BitStream.IsEOF() || !CanReadCoords())
-      return false;
+      return std::vector<CPDF_MeshVertex>();
 
-    vertex[i].position = pObject2Bitmap.Transform(ReadCoords());
+    vertices.push_back(CPDF_MeshVertex());
+    CPDF_MeshVertex& vertex = vertices.back();
+    vertex.position = pObject2Bitmap.Transform(ReadCoords());
     if (!CanReadColor())
-      return false;
+      return std::vector<CPDF_MeshVertex>();
 
-    std::tie(vertex[i].r, vertex[i].g, vertex[i].b) = ReadColor();
+    std::tie(vertex.r, vertex.g, vertex.b) = ReadColor();
     m_BitStream.ByteAlign();
   }
-  return true;
+  return vertices;
 }
diff --git a/core/fpdfapi/page/cpdf_meshstream.h b/core/fpdfapi/page/cpdf_meshstream.h
index af636a964d..60c47790a4 100644
--- a/core/fpdfapi/page/cpdf_meshstream.h
+++ b/core/fpdfapi/page/cpdf_meshstream.h
@@ -54,9 +54,8 @@ class CPDF_MeshStream {
   bool ReadVertex(const CFX_Matrix& pObject2Bitmap,
                   CPDF_MeshVertex* vertex,
                   uint32_t* flag);
-  bool ReadVertexRow(const CFX_Matrix& pObject2Bitmap,
-                     int count,
-                     CPDF_MeshVertex* vertex);
+  std::vector<CPDF_MeshVertex> ReadVertexRow(const CFX_Matrix& pObject2Bitmap,
+                                             int count);
 
   CFX_BitStream* BitStream() { return &m_BitStream; }
   uint32_t ComponentBits() const { return m_nComponentBits; }
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index ccbe39ea07..e033f26093 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -527,25 +527,24 @@ void DrawLatticeGouraudShading(
   if (!stream.Load())
     return;
 
-  std::unique_ptr<CPDF_MeshVertex, FxFreeDeleter> vertex(
-      FX_Alloc2D(CPDF_MeshVertex, row_verts, 2));
-  if (!stream.ReadVertexRow(*pObject2Bitmap, row_verts, vertex.get()))
+  std::vector<CPDF_MeshVertex> vertices[2];
+  vertices[0] = stream.ReadVertexRow(*pObject2Bitmap, row_verts);
+  if (vertices[0].empty())
     return;
 
   int last_index = 0;
   while (1) {
-    CPDF_MeshVertex* last_row = vertex.get() + last_index * row_verts;
-    CPDF_MeshVertex* this_row = vertex.get() + (1 - last_index) * row_verts;
-    if (!stream.ReadVertexRow(*pObject2Bitmap, row_verts, this_row))
+    vertices[1 - last_index] = stream.ReadVertexRow(*pObject2Bitmap, row_verts);
+    if (vertices[1 - last_index].empty())
       return;
 
     CPDF_MeshVertex triangle[3];
-    for (int i = 1; i < row_verts; i++) {
-      triangle[0] = last_row[i];
-      triangle[1] = this_row[i - 1];
-      triangle[2] = last_row[i - 1];
+    for (int i = 1; i < row_verts; ++i) {
+      triangle[0] = vertices[last_index][i];
+      triangle[1] = vertices[1 - last_index][i - 1];
+      triangle[2] = vertices[last_index][i - 1];
       DrawGouraud(pBitmap, alpha, triangle);
-      triangle[2] = this_row[i];
+      triangle[2] = vertices[1 - last_index][i];
       DrawGouraud(pBitmap, alpha, triangle);
     }
     last_index = 1 - last_index;