summaryrefslogtreecommitdiff
path: root/core/fpdfapi/page/cpdf_meshstream.cpp
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2017-03-01 00:32:20 -0800
committerChromium commit bot <commit-bot@chromium.org>2017-03-01 16:45:36 +0000
commitef81390393ef5fed1ba168cff081d459eed9f260 (patch)
tree89dcc109865b846a95a3f6e121d900e9a03b240d /core/fpdfapi/page/cpdf_meshstream.cpp
parente13ad88925bde037f4ed3b60f9ea5f01b883aa6e (diff)
downloadpdfium-ef81390393ef5fed1ba168cff081d459eed9f260.tar.xz
Fix infinite loops in CPDF_MeshStream.
BUG=chromium:690501 Change-Id: I74b09d90a8082554a67f737eb6adc3bff82ed93e Reviewed-on: https://pdfium-review.googlesource.com/2889 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fpdfapi/page/cpdf_meshstream.cpp')
-rw-r--r--core/fpdfapi/page/cpdf_meshstream.cpp37
1 files changed, 29 insertions, 8 deletions
diff --git a/core/fpdfapi/page/cpdf_meshstream.cpp b/core/fpdfapi/page/cpdf_meshstream.cpp
index 75069cab7f..24ef9b271e 100644
--- a/core/fpdfapi/page/cpdf_meshstream.cpp
+++ b/core/fpdfapi/page/cpdf_meshstream.cpp
@@ -154,6 +154,18 @@ bool CPDF_MeshStream::Load() {
return true;
}
+bool CPDF_MeshStream::CanReadFlag() const {
+ return m_BitStream.BitsRemaining() >= m_nFlagBits;
+}
+
+bool CPDF_MeshStream::CanReadCoords() const {
+ return m_BitStream.BitsRemaining() / 2 >= m_nCoordBits;
+}
+
+bool CPDF_MeshStream::CanReadColor() const {
+ return m_BitStream.BitsRemaining() / m_nComponentBits >= m_nComponents;
+}
+
uint32_t CPDF_MeshStream::ReadFlag() {
ASSERT(ShouldCheckBitsPerFlag(m_type));
return m_BitStream.GetBits(m_nFlagBits) & 0x03;
@@ -209,26 +221,35 @@ std::tuple<FX_FLOAT, FX_FLOAT, FX_FLOAT> CPDF_MeshStream::ReadColor() {
return std::tuple<FX_FLOAT, FX_FLOAT, FX_FLOAT>(r, g, b);
}
-CPDF_MeshVertex CPDF_MeshStream::ReadVertex(const CFX_Matrix& pObject2Bitmap,
- uint32_t* flag) {
+bool CPDF_MeshStream::ReadVertex(const CFX_Matrix& pObject2Bitmap,
+ CPDF_MeshVertex* vertex,
+ uint32_t* flag) {
+ if (!CanReadFlag())
+ return false;
*flag = ReadFlag();
- CPDF_MeshVertex vertex;
- vertex.position = pObject2Bitmap.Transform(ReadCoords());
- std::tie(vertex.r, vertex.g, vertex.b) = ReadColor();
- m_BitStream.ByteAlign();
+ if (!CanReadCoords())
+ return false;
+ vertex->position = pObject2Bitmap.Transform(ReadCoords());
- return vertex;
+ if (!CanReadColor())
+ return false;
+ std::tie(vertex->r, vertex->g, vertex->b) = ReadColor();
+ m_BitStream.ByteAlign();
+ return true;
}
bool CPDF_MeshStream::ReadVertexRow(const CFX_Matrix& pObject2Bitmap,
int count,
CPDF_MeshVertex* vertex) {
for (int i = 0; i < count; i++) {
- if (m_BitStream.IsEOF())
+ if (m_BitStream.IsEOF() || !CanReadCoords())
return false;
vertex[i].position = pObject2Bitmap.Transform(ReadCoords());
+ if (!CanReadColor())
+ return false;
+
std::tie(vertex[i].r, vertex[i].g, vertex[i].b) = ReadColor();
m_BitStream.ByteAlign();
}