diff options
author | Lei Zhang <thestig@chromium.org> | 2018-09-20 16:23:02 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-09-20 16:23:02 +0000 |
commit | 34cdc8f393130985e1a3aa21ee09a4008ec88bdd (patch) | |
tree | 84076024fa1bef0709ef1ad33146c16c1503300d /core/fpdfapi | |
parent | b739b4a9cbc991261627a51cba24907b5d0a8dd4 (diff) | |
download | pdfium-34cdc8f393130985e1a3aa21ee09a4008ec88bdd.tar.xz |
Validate some image data in CPDF_Image::InitJPEG().
Change-Id: I55e840667acfda831488d75efc97504355813dd1
Reviewed-on: https://pdfium-review.googlesource.com/42850
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fpdfapi')
-rw-r--r-- | core/fpdfapi/page/cpdf_image.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/core/fpdfapi/page/cpdf_image.cpp b/core/fpdfapi/page/cpdf_image.cpp index 9fdfa76710..85e7d8a038 100644 --- a/core/fpdfapi/page/cpdf_image.cpp +++ b/core/fpdfapi/page/cpdf_image.cpp @@ -32,6 +32,18 @@ #include "third_party/base/numerics/safe_conversions.h" #include "third_party/base/ptr_util.h" +namespace { + +bool IsValidJpegComponent(int32_t comps) { + return comps == 1 || comps == 3 || comps == 4; +} + +bool IsValidJpegBitsPerComponent(int32_t bpc) { + return bpc == 1 || bpc == 2 || bpc == 4 || bpc == 8 || bpc == 16; +} + +} // namespace + CPDF_Image::CPDF_Image(CPDF_Document* pDoc) : m_pDocument(pDoc) {} CPDF_Image::CPDF_Image(CPDF_Document* pDoc, @@ -82,6 +94,8 @@ std::unique_ptr<CPDF_Dictionary> CPDF_Image::InitJPEG( src_span, &width, &height, &num_comps, &bits, &color_trans)) { return nullptr; } + if (!IsValidJpegComponent(num_comps) || !IsValidJpegBitsPerComponent(bits)) + return nullptr; auto pDict = pdfium::MakeUnique<CPDF_Dictionary>(m_pDocument->GetByteStringPool()); |