diff options
| author | Lei Zhang <thestig@chromium.org> | 2018-04-19 16:53:32 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-19 16:53:32 +0000 |
| commit | 93358c23262e27ead528ac60607329ba0ea0a49a (patch) | |
| tree | 352c9aec26cb5d1bc18ef77debedce3328cbaed9 | |
| parent | 54e6da1ee793f436341dfcdc4e0c26b0658d1928 (diff) | |
| download | pdfium-93358c23262e27ead528ac60607329ba0ea0a49a.tar.xz | |
Do a bit more validation in CPDF_ExpIntFunc::v_Init().
Also do some cleanup and use FX_SAFE_UINT32.
Change-Id: I8e9fc49fb768cfc4b13b164c1dcf51b8ca99ec0b
Reviewed-on: https://pdfium-review.googlesource.com/30934
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
| -rw-r--r-- | core/fpdfapi/page/cpdf_expintfunc.cpp | 33 | ||||
| -rw-r--r-- | core/fpdfapi/page/cpdf_expintfunc.h | 8 |
2 files changed, 24 insertions, 17 deletions
diff --git a/core/fpdfapi/page/cpdf_expintfunc.cpp b/core/fpdfapi/page/cpdf_expintfunc.cpp index 020fe1fb81..0b3dc24033 100644 --- a/core/fpdfapi/page/cpdf_expintfunc.cpp +++ b/core/fpdfapi/page/cpdf_expintfunc.cpp @@ -8,12 +8,11 @@ #include "core/fpdfapi/parser/cpdf_array.h" #include "core/fpdfapi/parser/cpdf_dictionary.h" +#include "core/fpdfapi/parser/cpdf_number.h" #include "core/fxcrt/fx_memory.h" CPDF_ExpIntFunc::CPDF_ExpIntFunc() - : CPDF_Function(Type::kType2ExpotentialInterpolation), - m_pBeginValues(nullptr), - m_pEndValues(nullptr) {} + : CPDF_Function(Type::kType2ExpotentialInterpolation) {} CPDF_ExpIntFunc::~CPDF_ExpIntFunc() { FX_Free(m_pBeginValues); @@ -26,14 +25,21 @@ bool CPDF_ExpIntFunc::v_Init(CPDF_Object* pObj, if (!pDict) return false; - CPDF_Array* pArray0 = pDict->GetArrayFor("C0"); - if (m_nOutputs == 0) { - m_nOutputs = 1; - if (pArray0) - m_nOutputs = pArray0->GetCount(); + { + CPDF_Number* pExponent = ToNumber(pDict->GetObjectFor("N")); + if (!pExponent) + return false; + + m_Exponent = pExponent->GetNumber(); } - CPDF_Array* pArray1 = pDict->GetArrayFor("C1"); + const CPDF_Array* pArray0 = pDict->GetArrayFor("C0"); + if (pArray0 && m_nOutputs == 0) + m_nOutputs = pArray0->GetCount(); + if (m_nOutputs == 0) + m_nOutputs = 1; + + const CPDF_Array* pArray1 = pDict->GetArrayFor("C1"); m_pBeginValues = FX_Alloc2D(float, m_nOutputs, 2); m_pEndValues = FX_Alloc2D(float, m_nOutputs, 2); for (uint32_t i = 0; i < m_nOutputs; i++) { @@ -41,12 +47,13 @@ bool CPDF_ExpIntFunc::v_Init(CPDF_Object* pObj, m_pEndValues[i] = pArray1 ? pArray1->GetFloatAt(i) : 1.0f; } - m_Exponent = pDict->GetFloatFor("N"); - m_nOrigOutputs = m_nOutputs; - if (m_nOutputs && m_nInputs > INT_MAX / m_nOutputs) + FX_SAFE_UINT32 nOutputs = m_nOutputs; + nOutputs *= m_nInputs; + if (!nOutputs.IsValid()) return false; - m_nOutputs *= m_nInputs; + m_nOrigOutputs = m_nOutputs; + m_nOutputs = nOutputs.ValueOrDie(); return true; } diff --git a/core/fpdfapi/page/cpdf_expintfunc.h b/core/fpdfapi/page/cpdf_expintfunc.h index 7950c3dfd0..3ff6a7eb22 100644 --- a/core/fpdfapi/page/cpdf_expintfunc.h +++ b/core/fpdfapi/page/cpdf_expintfunc.h @@ -20,10 +20,10 @@ class CPDF_ExpIntFunc : public CPDF_Function { bool v_Init(CPDF_Object* pObj, std::set<CPDF_Object*>* pVisited) override; bool v_Call(const float* inputs, float* results) const override; - uint32_t m_nOrigOutputs; - float m_Exponent; - float* m_pBeginValues; - float* m_pEndValues; + uint32_t m_nOrigOutputs = 0; + float m_Exponent = 0.0f; + float* m_pBeginValues = nullptr; + float* m_pEndValues = nullptr; }; #endif // CORE_FPDFAPI_PAGE_CPDF_EXPINTFUNC_H_ |