diff options
author | thestig <thestig@chromium.org> | 2016-10-26 13:41:26 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-10-26 13:41:26 -0700 |
commit | cd5f026e7b277ec73d53e149c7c48ee981547d1a (patch) | |
tree | fd48cb9e916fa396240042c3565106e76b49359b /core/fxcodec | |
parent | d3a2009d75eac3cda442f545ef0865afae7b35cf (diff) | |
download | pdfium-cd5f026e7b277ec73d53e149c7c48ee981547d1a.tar.xz |
Add more checks to tiff_read() and tiff_seek().
BUG=chromium:659519
Review-Url: https://codereview.chromium.org/2456553002
Diffstat (limited to 'core/fxcodec')
-rw-r--r-- | core/fxcodec/codec/fx_codec_tiff.cpp | 58 |
1 files changed, 40 insertions, 18 deletions
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp index c76a604e4d..c4c745587f 100644 --- a/core/fxcodec/codec/fx_codec_tiff.cpp +++ b/core/fxcodec/codec/fx_codec_tiff.cpp @@ -4,8 +4,11 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com +#include <limits> + #include "core/fxcodec/codec/codec_int.h" #include "core/fxcodec/fx_codec.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxge/fx_dib.h" extern "C" { @@ -29,7 +32,6 @@ class CCodec_TiffContext { IFX_SeekableReadStream* io_in() const { return m_io_in; } uint32_t offset() const { return m_offset; } void set_offset(uint32_t offset) { m_offset = offset; } - void increment_offset(uint32_t offset) { m_offset += offset; } private: bool IsSupport(const CFX_DIBitmap* pDIBitmap) const; @@ -89,11 +91,17 @@ TIFFErrorHandler _TIFFerrorHandler = nullptr; namespace { tsize_t tiff_read(thandle_t context, tdata_t buf, tsize_t length) { - CCodec_TiffContext* pTiffContext = (CCodec_TiffContext*)context; + CCodec_TiffContext* pTiffContext = + reinterpret_cast<CCodec_TiffContext*>(context); + FX_SAFE_UINT32 increment = pTiffContext->offset(); + increment += length; + if (!increment.IsValid()) + return 0; + if (!pTiffContext->io_in()->ReadBlock(buf, pTiffContext->offset(), length)) return 0; - pTiffContext->increment_offset(length); + pTiffContext->set_offset(increment.ValueOrDie()); return length; } @@ -103,24 +111,37 @@ tsize_t tiff_write(thandle_t context, tdata_t buf, tsize_t length) { } toff_t tiff_seek(thandle_t context, toff_t offset, int whence) { - CCodec_TiffContext* pTiffContext = (CCodec_TiffContext*)context; + CCodec_TiffContext* pTiffContext = + reinterpret_cast<CCodec_TiffContext*>(context); + FX_SAFE_FILESIZE safe_offset = offset; + if (!safe_offset.IsValid()) + return static_cast<toff_t>(-1); + FX_FILESIZE file_offset = safe_offset.ValueOrDie(); + switch (whence) { - case 0: - pTiffContext->set_offset(offset); - break; - case 1: - pTiffContext->increment_offset(offset); - break; - case 2: - if (pTiffContext->io_in()->GetSize() < (FX_FILESIZE)offset) + case 0: { + if (file_offset > pTiffContext->io_in()->GetSize()) return static_cast<toff_t>(-1); - pTiffContext->set_offset(pTiffContext->io_in()->GetSize() - offset); - break; + pTiffContext->set_offset(file_offset); + return pTiffContext->offset(); + } + case 1: { + FX_SAFE_UINT32 new_increment = pTiffContext->offset(); + new_increment += file_offset; + if (!new_increment.IsValid()) + return static_cast<toff_t>(-1); + pTiffContext->set_offset(new_increment.ValueOrDie()); + return pTiffContext->offset(); + } + case 2: { + if (pTiffContext->io_in()->GetSize() < file_offset) + return static_cast<toff_t>(-1); + pTiffContext->set_offset(pTiffContext->io_in()->GetSize() - file_offset); + return pTiffContext->offset(); + } default: return static_cast<toff_t>(-1); } - ASSERT(pTiffContext->offset() <= (uint32_t)pTiffContext->io_in()->GetSize()); - return pTiffContext->offset(); } int tiff_close(thandle_t context) { @@ -128,8 +149,9 @@ int tiff_close(thandle_t context) { } toff_t tiff_get_size(thandle_t context) { - CCodec_TiffContext* pTiffContext = (CCodec_TiffContext*)context; - return (toff_t)pTiffContext->io_in()->GetSize(); + CCodec_TiffContext* pTiffContext = + reinterpret_cast<CCodec_TiffContext*>(context); + return static_cast<toff_t>(pTiffContext->io_in()->GetSize()); } int tiff_map(thandle_t context, tdata_t*, toff_t*) { |