summaryrefslogtreecommitdiff
path: root/core/fxcodec
diff options
context:
space:
mode:
authorRyan Harrison <rharrison@chromium.org>2018-02-07 20:00:25 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-02-07 20:00:25 +0000
commit6c67da092ce8bb384f60e2eae32e18b7283ae76e (patch)
tree0c803c04d7313936e7a528f9bff715e0772d52a8 /core/fxcodec
parentec7d8e21e72562d664e9596cb73bae6da8d6703c (diff)
downloadpdfium-6c67da092ce8bb384f60e2eae32e18b7283ae76e.tar.xz
Check that request sizes in ReadData don't overflow
When a very large, bogus value, was being passed in for the number of bytes to read, this could cause an overflow in the check for if there is data available. BUG=chromium:809824 Change-Id: I54af6655b61d39275f3ae6fabb27be2bee3fef05 Reviewed-on: https://pdfium-review.googlesource.com/25871 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxcodec')
-rw-r--r--core/fxcodec/bmp/cfx_bmpdecompressor.cpp9
1 files changed, 6 insertions, 3 deletions
diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
index d5d96de65d..191df8e29a 100644
--- a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
+++ b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
@@ -12,6 +12,7 @@
#include "core/fxcodec/bmp/cfx_bmpcontext.h"
#include "core/fxcrt/fx_system.h"
#include "third_party/base/logging.h"
+#include "third_party/base/numerics/safe_math.h"
#include "third_party/base/ptr_util.h"
namespace {
@@ -629,12 +630,14 @@ int32_t CFX_BmpDecompressor::DecodeRLE4() {
NOTREACHED();
}
-uint8_t* CFX_BmpDecompressor::ReadData(uint8_t** des_buf, uint32_t data_size_) {
- if (avail_in_ < skip_size_ + data_size_)
+uint8_t* CFX_BmpDecompressor::ReadData(uint8_t** des_buf, uint32_t data_size) {
+ pdfium::base::CheckedNumeric<uint32_t> request_size = data_size;
+ request_size += skip_size_;
+ if (!request_size.IsValid() || avail_in_ < request_size.ValueOrDie())
return nullptr;
*des_buf = next_in_ + skip_size_;
- skip_size_ += data_size_;
+ skip_size_ += data_size;
return *des_buf;
}