summaryrefslogtreecommitdiff
path: root/core/fxcodec
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-03-13 14:07:38 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-03-13 18:48:08 +0000
commit8ba662443cd7bc3bdad1699cf014c2ecb432e453 (patch)
tree00c4d0d7743796d78094726f0d4b3a70349970cf /core/fxcodec
parent9818dc150132ac04148174258423e394eb0948b9 (diff)
downloadpdfium-8ba662443cd7bc3bdad1699cf014c2ecb432e453.tar.xz
Check run lengths in FaxG4GetRow
The spec says a1 is to the right of a0, a2 to the right of a1. I think that means that the run lengths have to be positive, but that certainly means that they cannot be negative. BUG=chromium:699340 Change-Id: Ic07a272e63610f7a66c5073179cdb2768f80e2b8 Reviewed-on: https://pdfium-review.googlesource.com/2963 Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core/fxcodec')
-rw-r--r--core/fxcodec/codec/fx_codec_fax.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp
index 8a9c3efbc7..3e8967c265 100644
--- a/core/fxcodec/codec/fx_codec_fax.cpp
+++ b/core/fxcodec/codec/fx_codec_fax.cpp
@@ -315,6 +315,8 @@ bool FaxG4GetRow(const uint8_t* src_buf,
}
if (a0 < 0)
++run_len1;
+ if (run_len1 < 0)
+ return false;
a1 = a0 + run_len1;
if (!a0color)
@@ -329,6 +331,8 @@ bool FaxG4GetRow(const uint8_t* src_buf,
break;
}
}
+ if (run_len2 < 0)
+ return false;
a2 = a1 + run_len2;
if (a0color)
FaxFillBits(dest_buf, columns, a1, a2);