diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2018-02-05 22:28:22 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-02-05 22:28:22 +0000 |
commit | 6ec142da3f9cccb60a4d983ee7132c41a0798e24 (patch) | |
tree | 0a5c82ac9ac0662805c7999d64dd80d363379fee /core/fxcodec/codec | |
parent | f743552fbdb17f974c9b1675af81210fe0ffcc50 (diff) | |
download | pdfium-6ec142da3f9cccb60a4d983ee7132c41a0798e24.tar.xz |
Limit dest buffer to 1GB in FlateOrLZWDecode.
Bug: chromium:802094
Change-Id: I99d2d75cd431afe1cdb966e1431143ab43dd9a73
Reviewed-on: https://pdfium-review.googlesource.com/24730
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'core/fxcodec/codec')
-rw-r--r-- | core/fxcodec/codec/fx_codec_flate.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/core/fxcodec/codec/fx_codec_flate.cpp b/core/fxcodec/codec/fx_codec_flate.cpp index 95902bb699..e33a3d4810 100644 --- a/core/fxcodec/codec/fx_codec_flate.cpp +++ b/core/fxcodec/codec/fx_codec_flate.cpp @@ -7,6 +7,7 @@ #include "core/fxcodec/codec/codec_int.h" #include <algorithm> +#include <limits> #include <memory> #include <utility> #include <vector> @@ -39,9 +40,12 @@ static void my_free_func(void* opaque, void* address) { namespace { +constexpr const static uint32_t kMaxTotalOutSize = 1024 * 1024 * 1024; // 1 GiB + uint32_t FlateGetPossiblyTruncatedTotalOut(void* context) { - return pdfium::base::saturated_cast<uint32_t>( - static_cast<z_stream*>(context)->total_out); + return std::min(pdfium::base::saturated_cast<uint32_t>( + static_cast<z_stream*>(context)->total_out), + kMaxTotalOutSize); } uint32_t FlateGetPossiblyTruncatedTotalIn(void* context) { |