diff options
author | ochang <ochang@chromium.org> | 2016-04-15 13:52:00 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-04-15 13:52:00 -0700 |
commit | 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41 (patch) | |
tree | 8be0c41efc1bce888ee8429e9adf4f13f379ba64 /core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | |
parent | 018935c9304bebf13fbad20b124d775ccae87fae (diff) | |
download | pdfium-7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41.tar.xz |
Prevent a potential OOB read in TranslateImageLine.
Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and
its CPDF_ColorSpace, from code attempting to recover from a failed decoder
initialisation in CPDF_DIBSource::CreateDecoder.
BUG=chromium:603518
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1892143003
Diffstat (limited to 'core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp')
-rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp index 951d38359f..44ac29f9e1 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp @@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() { bpc, bTransform)) { if (m_nComponents != static_cast<uint32_t>(comps)) { FX_Free(m_pCompData); + m_pCompData = nullptr; m_nComponents = static_cast<uint32_t>(comps); - if (m_Family == PDFCS_LAB && m_nComponents != 3) { - m_pCompData = nullptr; + if (m_pColorSpace && + m_pColorSpace->CountComponents() != m_nComponents) + return 0; + if (m_Family == PDFCS_LAB && m_nComponents != 3) return 0; - } m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey); - if (!m_pCompData) { + if (!m_pCompData) return 0; - } } m_bpc = bpc; m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder( |