diff options
| author | Lei Zhang <thestig@chromium.org> | 2018-06-29 14:52:29 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-06-29 14:52:29 +0000 |
| commit | 611da5146966980bca581e37fd85afbc2f6c763e (patch) | |
| tree | eae88ba09af08b14103381168e8199ef90ee5011 | |
| parent | 55f82fcc12972bdf405a28c3c428e11e889e8ce1 (diff) | |
| download | pdfium-611da5146966980bca581e37fd85afbc2f6c763e.tar.xz | |
Limit image size in CJBig2_PDDProc.
CJBig2_PDDProc internally creates a CJBig2_GRDProc to create an image.
If the image is too big, then processing it can use up too much memory.
BUG=chromium:857106
Change-Id: I06a9eaed6941be1cbb7481d21048e6a1681696b7
Reviewed-on: https://pdfium-review.googlesource.com/36490
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_PddProc.cpp | 29 | ||||
| -rw-r--r-- | core/fxcodec/jbig2/JBig2_PddProc.h | 5 |
2 files changed, 25 insertions, 9 deletions
diff --git a/core/fxcodec/jbig2/JBig2_PddProc.cpp b/core/fxcodec/jbig2/JBig2_PddProc.cpp index 82364b6ae2..9d274f9a4a 100644 --- a/core/fxcodec/jbig2/JBig2_PddProc.cpp +++ b/core/fxcodec/jbig2/JBig2_PddProc.cpp @@ -17,10 +17,10 @@ std::unique_ptr<CJBig2_PatternDict> CJBig2_PDDProc::DecodeArith( CJBig2_ArithDecoder* pArithDecoder, JBig2ArithCtx* gbContext, PauseIndicatorIface* pPause) { - auto pGRD = pdfium::MakeUnique<CJBig2_GRDProc>(); - pGRD->MMR = HDMMR; - pGRD->GBW = (GRAYMAX + 1) * HDPW; - pGRD->GBH = HDPH; + std::unique_ptr<CJBig2_GRDProc> pGRD = CreateGRDProc(); + if (!pGRD) + return nullptr; + pGRD->GBTEMPLATE = HDTEMPLATE; pGRD->TPGDON = 0; pGRD->USESKIP = 0; @@ -57,11 +57,11 @@ std::unique_ptr<CJBig2_PatternDict> CJBig2_PDDProc::DecodeArith( std::unique_ptr<CJBig2_PatternDict> CJBig2_PDDProc::DecodeMMR( CJBig2_BitStream* pStream) { + std::unique_ptr<CJBig2_GRDProc> pGRD = CreateGRDProc(); + if (!pGRD) + return nullptr; + std::unique_ptr<CJBig2_Image> BHDC; - auto pGRD = pdfium::MakeUnique<CJBig2_GRDProc>(); - pGRD->MMR = HDMMR; - pGRD->GBW = (GRAYMAX + 1) * HDPW; - pGRD->GBH = HDPH; pGRD->StartDecodeMMR(&BHDC, pStream); if (!BHDC) return nullptr; @@ -71,3 +71,16 @@ std::unique_ptr<CJBig2_PatternDict> CJBig2_PDDProc::DecodeMMR( pDict->HDPATS[GRAY] = BHDC->SubImage(HDPW * GRAY, 0, HDPW, HDPH); return pDict; } + +std::unique_ptr<CJBig2_GRDProc> CJBig2_PDDProc::CreateGRDProc() { + uint32_t width = (GRAYMAX + 1) * HDPW; + uint32_t height = HDPH; + if (width > JBIG2_MAX_IMAGE_SIZE || height > JBIG2_MAX_IMAGE_SIZE) + return nullptr; + + auto pGRD = pdfium::MakeUnique<CJBig2_GRDProc>(); + pGRD->MMR = HDMMR; + pGRD->GBW = width; + pGRD->GBH = height; + return pGRD; +} diff --git a/core/fxcodec/jbig2/JBig2_PddProc.h b/core/fxcodec/jbig2/JBig2_PddProc.h index b9f4d81cf8..13590edb41 100644 --- a/core/fxcodec/jbig2/JBig2_PddProc.h +++ b/core/fxcodec/jbig2/JBig2_PddProc.h @@ -13,6 +13,7 @@ class CJBig2_ArithDecoder; class CJBig2_BitStream; +class CJBig2_GRDProc; class CJBig2_PatternDict; class PauseIndicatorIface; struct JBig2ArithCtx; @@ -26,12 +27,14 @@ class CJBig2_PDDProc { std::unique_ptr<CJBig2_PatternDict> DecodeMMR(CJBig2_BitStream* pStream); - public: bool HDMMR; uint8_t HDPW; uint8_t HDPH; uint32_t GRAYMAX; uint8_t HDTEMPLATE; + + private: + std::unique_ptr<CJBig2_GRDProc> CreateGRDProc(); }; #endif // CORE_FXCODEC_JBIG2_JBIG2_PDDPROC_H_ |