summaryrefslogtreecommitdiff
path: root/core/src/fxcodec
diff options
context:
space:
mode:
authorfoxit <jun_fang@foxitsoftware.com>2014-06-20 16:48:43 -0700
committerfoxit <jun_fang@foxitsoftware.com>2014-06-20 16:48:43 -0700
commit3e4b1bc1ac4eb8372a90f95edd69131e54240976 (patch)
tree3e73c6a08911fec6621a43907713542c2d808ed2 /core/src/fxcodec
parentd9713f05fdcecab8428d39034c6b84cd0bbd2920 (diff)
downloadpdfium-3e4b1bc1ac4eb8372a90f95edd69131e54240976.tar.xz
Stack-buffer-overflow in IccLib_Translate
BUG=382240 R=palmer@chromium.org Review URL: https://codereview.chromium.org/332143002
Diffstat (limited to 'core/src/fxcodec')
-rw-r--r--core/src/fxcodec/codec/codec_int.h2
-rw-r--r--core/src/fxcodec/codec/fx_codec_icc.cpp12
2 files changed, 8 insertions, 6 deletions
diff --git a/core/src/fxcodec/codec/codec_int.h b/core/src/fxcodec/codec/codec_int.h
index 638d96db85..47f2c8e1fe 100644
--- a/core/src/fxcodec/codec/codec_int.h
+++ b/core/src/fxcodec/codec/codec_int.h
@@ -172,10 +172,12 @@ public:
virtual void DestroyTransform(FX_LPVOID pTransform);
virtual void Translate(FX_LPVOID pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues);
virtual void TranslateScanline(FX_LPVOID pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels);
+ virtual void SetComponents(FX_DWORD nComponents) {m_nComponents = nComponents;}
virtual ~CCodec_IccModule();
protected:
CFX_MapByteStringToPtr m_MapTranform;
CFX_MapByteStringToPtr m_MapProfile;
+ FX_DWORD m_nComponents;
typedef enum {
Icc_CLASS_INPUT = 0,
Icc_CLASS_OUTPUT,
diff --git a/core/src/fxcodec/codec/fx_codec_icc.cpp b/core/src/fxcodec/codec/fx_codec_icc.cpp
index 22659ba9ff..b10d9c4868 100644
--- a/core/src/fxcodec/codec/fx_codec_icc.cpp
+++ b/core/src/fxcodec/codec/fx_codec_icc.cpp
@@ -147,7 +147,7 @@ void IccLib_DestroyTransform(void* pTransform)
cmsDeleteTransform(((CLcmsCmm*)pTransform)->m_hTransform);
delete (CLcmsCmm*)pTransform;
}
-void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues)
+void IccLib_Translate(void* pTransform, FX_DWORD nSrcComponents, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues)
{
if (pTransform == NULL) {
return;
@@ -155,16 +155,16 @@ void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestVal
CLcmsCmm* p = (CLcmsCmm*)pTransform;
FX_BYTE output[4];
if (p->m_bLab) {
- CFX_FixedBufGrow<double, 16> inputs(p->m_nSrcComponents);
+ CFX_FixedBufGrow<double, 16> inputs(nSrcComponents);
double* input = inputs;
- for (int i = 0; i < p->m_nSrcComponents; i ++) {
+ for (FX_DWORD i = 0; i < nSrcComponents; i ++) {
input[i] = pSrcValues[i];
}
cmsDoTransform(p->m_hTransform, input, output, 1);
} else {
- CFX_FixedBufGrow<FX_BYTE, 16> inputs(p->m_nSrcComponents);
+ CFX_FixedBufGrow<FX_BYTE, 16> inputs(nSrcComponents);
FX_BYTE* input = inputs;
- for (int i = 0; i < p->m_nSrcComponents; i ++) {
+ for (FX_DWORD i = 0; i < nSrcComponents; i ++) {
if (pSrcValues[i] > 1.0f) {
input[i] = 255;
} else if (pSrcValues[i] < 0) {
@@ -534,7 +534,7 @@ void CCodec_IccModule::DestroyTransform(void* pTransform)
}
void CCodec_IccModule::Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues)
{
- IccLib_Translate(pTransform, pSrcValues, pDestValues);
+ IccLib_Translate(pTransform, m_nComponents, pSrcValues, pDestValues);
}
void CCodec_IccModule::TranslateScanline(void* pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels)
{