diff options
author | Lei Zhang <thestig@chromium.org> | 2018-04-27 18:52:47 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-27 18:52:47 +0000 |
commit | 5a2114eced31ce389ede4486d492faf6db4d7a04 (patch) | |
tree | 55beb054a77a546ab47d50c1e543fe1227a848a6 /core/fpdfapi/page/cpdf_sampledfunc.cpp | |
parent | 3241bb3e98c0b327bbd5b0dc02621e6105cf37a9 (diff) | |
download | pdfium-5a2114eced31ce389ede4486d492faf6db4d7a04.tar.xz |
Do validation earlier in CPDF_SampledFunc::v_Init(). (try 2)
This time, correctly multiply |nTotalSampleBits| before checking it.
Change-Id: I68befeedb54626314f7bb00a35e567d2cbf1cc10
Reviewed-on: https://pdfium-review.googlesource.com/31152
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core/fpdfapi/page/cpdf_sampledfunc.cpp')
-rw-r--r-- | core/fpdfapi/page/cpdf_sampledfunc.cpp | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/core/fpdfapi/page/cpdf_sampledfunc.cpp b/core/fpdfapi/page/cpdf_sampledfunc.cpp index 6039d630ef..3777254f34 100644 --- a/core/fpdfapi/page/cpdf_sampledfunc.cpp +++ b/core/fpdfapi/page/cpdf_sampledfunc.cpp @@ -47,16 +47,13 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj, if (!pSize || pSize->IsEmpty()) return false; - const CPDF_Array* pEncode = pDict->GetArrayFor("Encode"); - const CPDF_Array* pDecode = pDict->GetArrayFor("Decode"); m_nBitsPerSample = pDict->GetIntegerFor("BitsPerSample"); if (!IsValidBitsPerSample(m_nBitsPerSample)) return false; - m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample); - m_pSampleStream = pdfium::MakeRetain<CPDF_StreamAcc>(pStream); - m_pSampleStream->LoadAllDataFiltered(); - FX_SAFE_UINT32 nTotalSampleBits = 1; + FX_SAFE_UINT32 nTotalSampleBits = m_nBitsPerSample; + nTotalSampleBits *= m_nOutputs; + const CPDF_Array* pEncode = pDict->GetArrayFor("Encode"); m_EncodeInfo.resize(m_nInputs); for (uint32_t i = 0; i < m_nInputs; i++) { int size = pSize->GetIntegerAt(i); @@ -74,15 +71,17 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj, m_EncodeInfo[i].sizes == 1 ? 1 : m_EncodeInfo[i].sizes - 1; } } - nTotalSampleBits *= m_nBitsPerSample; - nTotalSampleBits *= m_nOutputs; - FX_SAFE_UINT32 nTotalSampleBytes = nTotalSampleBits; - nTotalSampleBytes += 7; - nTotalSampleBytes /= 8; - if (!nTotalSampleBytes.IsValid() || nTotalSampleBytes.ValueOrDie() == 0 || - nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize()) { + FX_SAFE_UINT32 nTotalSampleBytes = (nTotalSampleBits + 7) / 8; + if (!nTotalSampleBytes.IsValid() || nTotalSampleBytes.ValueOrDie() == 0) return false; - } + + m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample); + m_pSampleStream = pdfium::MakeRetain<CPDF_StreamAcc>(pStream); + m_pSampleStream->LoadAllDataFiltered(); + if (nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize()) + return false; + + const CPDF_Array* pDecode = pDict->GetArrayFor("Decode"); m_DecodeInfo.resize(m_nOutputs); for (uint32_t i = 0; i < m_nOutputs; i++) { if (pDecode) { |