diff options
author | Ryan Harrison <rharrison@chromium.org> | 2017-07-07 14:03:55 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-07-07 18:22:36 +0000 |
commit | f6f68c75ce54a5865fb19dcb075e7734f1639663 (patch) | |
tree | e14853071407d92fbb820fda7725a51d77afedfe /core/fxge/dib/cfx_dibitmap.cpp | |
parent | c3d3bb2a036bc26ad1b3c7c5f03ce11f41529b33 (diff) | |
download | pdfium-f6f68c75ce54a5865fb19dcb075e7734f1639663.tar.xz |
Check that there is enough data remaining in source BMP before readingchromium/3152
When reading in a BMP, after processing the header, make sure that
there is enough data remaining in the source before proceeding. If not
signal that the BMP is improperly formatted.
BUG=chromium:738635
Change-Id: I506bc0e6db7dcd4b5984fd91a1f39516320a2037
Reviewed-on: https://pdfium-review.googlesource.com/7280
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core/fxge/dib/cfx_dibitmap.cpp')
-rw-r--r-- | core/fxge/dib/cfx_dibitmap.cpp | 53 |
1 files changed, 35 insertions, 18 deletions
diff --git a/core/fxge/dib/cfx_dibitmap.cpp b/core/fxge/dib/cfx_dibitmap.cpp index 48cbc3291c..43b0da0edf 100644 --- a/core/fxge/dib/cfx_dibitmap.cpp +++ b/core/fxge/dib/cfx_dibitmap.cpp @@ -34,36 +34,32 @@ bool CFX_DIBitmap::Create(int width, int height, FXDIB_Format format, uint8_t* pBuffer, - int pitch) { + uint32_t pitch) { m_pBuffer = nullptr; m_bpp = static_cast<uint8_t>(format); m_AlphaFlag = static_cast<uint8_t>(format >> 8); - m_Width = m_Height = m_Pitch = 0; - if (width <= 0 || height <= 0 || pitch < 0) - return false; - - if ((INT_MAX - 31) / width < (format & 0xff)) - return false; - - if (!pitch) - pitch = (width * (format & 0xff) + 31) / 32 * 4; + m_Width = 0; + m_Height = 0; + m_Pitch = 0; - if ((1 << 30) / pitch < height) + uint32_t calculatedSize; + if (!CFX_DIBitmap::CalculatePitchAndSize(height, width, format, &pitch, + &calculatedSize)) return false; if (pBuffer) { m_pBuffer.Reset(pBuffer); } else { - int size = pitch * height + 4; - int oomlimit = MAX_OOM_LIMIT; - if (oomlimit >= 0 && size >= oomlimit) { - m_pBuffer = - std::unique_ptr<uint8_t, FxFreeDeleter>(FX_TryAlloc(uint8_t, size)); + size_t bufferSize = calculatedSize + 4; + size_t oomlimit = MAX_OOM_LIMIT; + if (bufferSize >= oomlimit) { + m_pBuffer = std::unique_ptr<uint8_t, FxFreeDeleter>( + FX_TryAlloc(uint8_t, bufferSize)); if (!m_pBuffer) return false; } else { - m_pBuffer = - std::unique_ptr<uint8_t, FxFreeDeleter>(FX_Alloc(uint8_t, size)); + m_pBuffer = std::unique_ptr<uint8_t, FxFreeDeleter>( + FX_Alloc(uint8_t, bufferSize)); } } m_Width = width; @@ -816,6 +812,27 @@ bool CFX_DIBitmap::ConvertColorScale(uint32_t forecolor, uint32_t backcolor) { return true; } +bool CFX_DIBitmap::CalculatePitchAndSize(int height, + int width, + FXDIB_Format format, + uint32_t* pitch, + uint32_t* size) { + if (width <= 0 || height <= 0) + return false; + + if ((INT_MAX - 31) / width < (format & 0xFF)) + return false; + + if (!*pitch) + *pitch = static_cast<uint32_t>((width * (format & 0xff) + 31) / 32 * 4); + + if ((1 << 30) / *pitch < static_cast<uint32_t>(height)) + return false; + + *size = *pitch * static_cast<uint32_t>(height); + return true; +} + bool CFX_DIBitmap::CompositeBitmap( int dest_left, int dest_top, |