diff options
author | kcwu <kcwu@chromium.org> | 2016-09-23 09:26:51 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-23 09:26:51 -0700 |
commit | 4dd613cb51c1d77ac2998f760325ed5b93f4ebf0 (patch) | |
tree | 5026a0aa7a55f6f0edfc40702ec5f55fd05502ff /core/fxcodec/codec | |
parent | 3f4111fbff1233de9f5c67eda433bee0f5f88c4e (diff) | |
download | pdfium-4dd613cb51c1d77ac2998f760325ed5b93f4ebf0.tar.xz |
Bail out on bad width and height in CCodec_FaxDecoder::CreateDecoder
BUG=648935,649436
Review-Url: https://codereview.chromium.org/2360283004
Diffstat (limited to 'core/fxcodec/codec')
-rw-r--r-- | core/fxcodec/codec/fx_codec_fax.cpp | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp index c0202829ee..11c42ade28 100644 --- a/core/fxcodec/codec/fx_codec_fax.cpp +++ b/core/fxcodec/codec/fx_codec_fax.cpp @@ -36,7 +36,11 @@ const uint8_t ZeroLeadPos[256] = { 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 7, 8, }; +// Limit of image dimension, an arbitrary large number. +const int kMaxImageDimension = 0x01FFFF; + int FindBit(const uint8_t* data_buf, int max_pos, int start_pos, int bit) { + ASSERT(start_pos >= 0); if (start_pos >= max_pos) { return max_pos; } @@ -511,7 +515,7 @@ CCodec_FaxDecoder::CCodec_FaxDecoder(const uint8_t* src_buf, m_OrigWidth = width; if (m_OrigHeight == 0) m_OrigHeight = height; - // Should not overflow. Checked by FPDFAPI_CreateFaxDecoder. + // Should not overflow. Checked by CCodec_FaxDecoder::CreateDecoder. m_Pitch = (static_cast<uint32_t>(m_OrigWidth) + 31) / 32 * 4; m_OutputWidth = m_OrigWidth; m_OutputHeight = m_OrigHeight; @@ -624,6 +628,13 @@ CCodec_ScanlineDecoder* CCodec_FaxModule::CreateDecoder( FX_BOOL BlackIs1, int Columns, int Rows) { + // Reject invalid values. + if (width <= 0 || height < 0 || Columns < 0 || Rows < 0) + return nullptr; + // Reject unreasonable large input. + if (width > kMaxImageDimension || height > kMaxImageDimension || + Columns > kMaxImageDimension || Rows > kMaxImageDimension) + return nullptr; return new CCodec_FaxDecoder(src_buf, src_size, width, height, K, EndOfLine, EncodedByteAlign, BlackIs1, Columns, Rows); } |