Check run lengths in FaxG4GetRow

The spec says a1 is to the right of a0, a2 to the right of a1. I think that means that the run lengths have to be positive, but that certainly means that they cannot be negative. BUG=chromium:699340 Change-Id: Ic07a272e63610f7a66c5073179cdb2768f80e2b8 Reviewed-on: https://pdfium-review.googlesource.com/2963 Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-03-13 14:07:38 -0400
committer: Chromium commit bot <commit-bot@chromium.org> 2017-03-13 18:48:08 +0000
commit: 8ba662443cd7bc3bdad1699cf014c2ecb432e453 (patch)
tree: 00c4d0d7743796d78094726f0d4b3a70349970cf /core/fxcodec
parent: 9818dc150132ac04148174258423e394eb0948b9 (diff)
download: pdfium-8ba662443cd7bc3bdad1699cf014c2ecb432e453.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp
index 8a9c3efbc7..3e8967c265 100644
--- a/core/fxcodec/codec/fx_codec_fax.cpp
+++ b/core/fxcodec/codec/fx_codec_fax.cpp
@@ -315,6 +315,8 @@ bool FaxG4GetRow(const uint8_t* src_buf,
         }
         if (a0 < 0)
           ++run_len1;
+        if (run_len1 < 0)
+          return false;
 
         a1 = a0 + run_len1;
         if (!a0color)
@@ -329,6 +331,8 @@ bool FaxG4GetRow(const uint8_t* src_buf,
             break;
           }
         }
+        if (run_len2 < 0)
+          return false;
         a2 = a1 + run_len2;
         if (a0color)
           FaxFillBits(dest_buf, columns, a1, a2);
author	Nicolas Pena <npm@chromium.org>	2017-03-13 14:07:38 -0400
committer	Chromium commit bot <commit-bot@chromium.org>	2017-03-13 18:48:08 +0000
commit	8ba662443cd7bc3bdad1699cf014c2ecb432e453 (patch)
tree	00c4d0d7743796d78094726f0d4b3a70349970cf /core/fxcodec
parent	9818dc150132ac04148174258423e394eb0948b9 (diff)
download	pdfium-8ba662443cd7bc3bdad1699cf014c2ecb432e453.tar.xz