diff options
| author | Lei Zhang <thestig@chromium.org> | 2017-03-01 00:32:20 -0800 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-01 16:45:36 +0000 |
| commit | ef81390393ef5fed1ba168cff081d459eed9f260 (patch) | |
| tree | 89dcc109865b846a95a3f6e121d900e9a03b240d /core/fpdfapi/render | |
| parent | e13ad88925bde037f4ed3b60f9ea5f01b883aa6e (diff) | |
| download | pdfium-ef81390393ef5fed1ba168cff081d459eed9f260.tar.xz | |
Fix infinite loops in CPDF_MeshStream.
BUG=chromium:690501
Change-Id: I74b09d90a8082554a67f737eb6adc3bff82ed93e
Reviewed-on: https://pdfium-review.googlesource.com/2889
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fpdfapi/render')
| -rw-r--r-- | core/fpdfapi/render/cpdf_renderstatus.cpp | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp index 1e67eaba55..9022212ecc 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.cpp +++ b/core/fpdfapi/render/cpdf_renderstatus.cpp @@ -487,13 +487,17 @@ void DrawFreeGouraudShading( FXSYS_memset(triangle, 0, sizeof(triangle)); while (!stream.BitStream()->IsEOF()) { + CPDF_MeshVertex vertex; uint32_t flag; - CPDF_MeshVertex vertex = stream.ReadVertex(*pObject2Bitmap, &flag); + if (!stream.ReadVertex(*pObject2Bitmap, &vertex, &flag)) + return; + if (flag == 0) { triangle[0] = vertex; for (int j = 1; j < 3; j++) { uint32_t tflag; - triangle[j] = stream.ReadVertex(*pObject2Bitmap, &tflag); + if (!stream.ReadVertex(*pObject2Bitmap, &triangle[j], &tflag)) + return; } } else { if (flag == 1) @@ -831,6 +835,8 @@ void DrawCoonPatchMeshes( CFX_PointF coords[16]; int point_count = type == kTensorProductPatchMeshShading ? 16 : 12; while (!stream.BitStream()->IsEOF()) { + if (!stream.CanReadFlag()) + break; uint32_t flag = stream.ReadFlag(); int iStartPoint = 0, iStartColor = 0, i = 0; if (flag) { @@ -846,10 +852,16 @@ void DrawCoonPatchMeshes( tempColors[1] = patch.patch_colors[(flag + 1) % 4]; FXSYS_memcpy(patch.patch_colors, tempColors, sizeof(Coon_Color) * 2); } - for (i = iStartPoint; i < point_count; i++) + for (i = iStartPoint; i < point_count; i++) { + if (!stream.CanReadCoords()) + break; coords[i] = pObject2Bitmap->Transform(stream.ReadCoords()); + } for (i = iStartColor; i < 4; i++) { + if (!stream.CanReadColor()) + break; + FX_FLOAT r; FX_FLOAT g; FX_FLOAT b; |