Merge to XFA: Clear decoders after the image decoder in the /Filter array.

During decoding, when an image decoder is encountered, any subsequent decoders are ignored, but remain in the array. However, later on CPDF_DIBSource::ValidateDictParam expects the image decoder to be the last in the array, causing issues. A check is also added in CPDF_DIBSource::GetScanline to ensure that the calculated pitch value is <= the (4-aligned) pitch value in the cached bitmap to prevent future issues. Also cleans up some NULL usages. BUG=552046 TBR=tsepez@chromium.org Review URL: https://codereview.chromium.org/1406943005 . (cherry picked from commit 182d129bcee8f7731b9bbfde0064295ad3b37271) Review URL: https://codereview.chromium.org/1436153003 .
author: Oliver Chang <ochang@chromium.org> 2015-11-12 10:52:54 -0800
committer: Oliver Chang <ochang@chromium.org> 2015-11-12 10:52:54 -0800
commit: 437c23363b9be8d681e5ba76827b2fb5af53c8bf (patch)
tree: 1096293c194c527c45f0814f0bca7367069e9761 /core/src/fpdfapi/fpdf_parser
parent: 76bc23415f626ad51cfc73f0fb5a4e13c3a4f73f (diff)
download: pdfium-437c23363b9be8d681e5ba76827b2fb5af53c8bf.tar.xz
3 files changed, 27 insertions, 9 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
index ff0519c9b5..588ab5dff6 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
@@ -363,7 +363,7 @@ FX_BOOL PDF_DataDecode(const uint8_t* src_buf,
     // Use ToDictionary here because we can push NULL into the ParamList.
     CPDF_Dictionary* pParam =
         ToDictionary(static_cast<CPDF_Object*>(ParamList[i]));
-    uint8_t* new_buf = NULL;
+    uint8_t* new_buf = nullptr;
     FX_DWORD new_size = (FX_DWORD)-1;
     int offset = -1;
     if (decoder == FX_BSTRC("FlateDecode") || decoder == FX_BSTRC("Fl")) {
@@ -395,18 +395,21 @@ FX_BOOL PDF_DataDecode(const uint8_t* src_buf,
         return TRUE;
       }
       offset = RunLengthDecode(last_buf, last_size, new_buf, new_size);
+    } else if (decoder == FX_BSTRC("Crypt")) {
+      continue;
     } else {
+      // If we get here, assume it's an image decoder.
       if (decoder == FX_BSTRC("DCT")) {
         decoder = "DCTDecode";
       } else if (decoder == FX_BSTRC("CCF")) {
         decoder = "CCITTFaxDecode";
-      } else if (decoder == FX_BSTRC("Crypt")) {
-        continue;
       }
       ImageEncoding = decoder;
       pImageParms = pParam;
       dest_buf = (uint8_t*)last_buf;
       dest_size = last_size;
+      if (CPDF_Array* pDecoders = pDecoder->AsArray())
+        pDecoders->RemoveAt(i + 1, pDecoders->GetCount() - i - 1);
       return TRUE;
     }
     if (last_buf != src_buf) {
@@ -420,7 +423,7 @@ FX_BOOL PDF_DataDecode(const uint8_t* src_buf,
     last_size = new_size;
   }
   ImageEncoding = "";
-  pImageParms = NULL;
+  pImageParms = nullptr;
   dest_buf = last_buf;
   dest_size = last_size;
   return TRUE;
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp
index 279151a87a..62da88b9ba 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp
@@ -95,4 +95,14 @@ TEST_F(FPDFParserDecodeEmbeddertest, FlateDecode) {
   }
 }
 
+TEST_F(FPDFParserDecodeEmbeddertest, Bug_552046) {
+  // Tests specifying multiple image filters for a stream. Should not cause a
+  // crash when rendered.
+  EXPECT_TRUE(OpenDocument("bug_552046.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  FPDF_BITMAP bitmap = RenderPage(page);
+  FPDFBitmap_Destroy(bitmap);
+  UnloadPage(page);
+}
+
 #undef TEST_CASE
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index 990bf5f0e2..edf80d0618 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -496,13 +496,18 @@ CPDF_Stream* CPDF_Array::GetStream(FX_DWORD i) const {
 CPDF_Array* CPDF_Array::GetArray(FX_DWORD i) const {
   return ToArray(GetElementValue(i));
 }
-void CPDF_Array::RemoveAt(FX_DWORD i) {
-  ASSERT(IsArray());
+void CPDF_Array::RemoveAt(FX_DWORD i, int nCount) {
   if (i >= (FX_DWORD)m_Objects.GetSize())
     return;
-  if (CPDF_Object* p = static_cast<CPDF_Object*>(m_Objects.GetAt(i)))
-    p->Release();
-  m_Objects.RemoveAt(i);
+
+  if (nCount <= 0 || nCount > m_Objects.GetSize() - i)
+    return;
+
+  for (int j = 0; j < nCount; ++j) {
+    if (CPDF_Object* p = static_cast<CPDF_Object*>(m_Objects.GetAt(i + j)))
+      p->Release();
+  }
+  m_Objects.RemoveAt(i, nCount);
 }
 void CPDF_Array::SetAt(FX_DWORD i,
                        CPDF_Object* pObj,
author	Oliver Chang <ochang@chromium.org>	2015-11-12 10:52:54 -0800
committer	Oliver Chang <ochang@chromium.org>	2015-11-12 10:52:54 -0800
commit	437c23363b9be8d681e5ba76827b2fb5af53c8bf (patch)
tree	1096293c194c527c45f0814f0bca7367069e9761 /core/src/fpdfapi/fpdf_parser
parent	76bc23415f626ad51cfc73f0fb5a4e13c3a4f73f (diff)
download	pdfium-437c23363b9be8d681e5ba76827b2fb5af53c8bf.tar.xz