diff options
author | foxit <jun_fang@foxitsoftware.com> | 2014-06-20 16:48:43 -0700 |
---|---|---|
committer | foxit <jun_fang@foxitsoftware.com> | 2014-06-20 16:48:43 -0700 |
commit | 3e4b1bc1ac4eb8372a90f95edd69131e54240976 (patch) | |
tree | 3e73c6a08911fec6621a43907713542c2d808ed2 /core/src/fxcodec | |
parent | d9713f05fdcecab8428d39034c6b84cd0bbd2920 (diff) | |
download | pdfium-3e4b1bc1ac4eb8372a90f95edd69131e54240976.tar.xz |
Stack-buffer-overflow in IccLib_Translate
BUG=382240
R=palmer@chromium.org
Review URL: https://codereview.chromium.org/332143002
Diffstat (limited to 'core/src/fxcodec')
-rw-r--r-- | core/src/fxcodec/codec/codec_int.h | 2 | ||||
-rw-r--r-- | core/src/fxcodec/codec/fx_codec_icc.cpp | 12 |
2 files changed, 8 insertions, 6 deletions
diff --git a/core/src/fxcodec/codec/codec_int.h b/core/src/fxcodec/codec/codec_int.h index 638d96db85..47f2c8e1fe 100644 --- a/core/src/fxcodec/codec/codec_int.h +++ b/core/src/fxcodec/codec/codec_int.h @@ -172,10 +172,12 @@ public: virtual void DestroyTransform(FX_LPVOID pTransform); virtual void Translate(FX_LPVOID pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues); virtual void TranslateScanline(FX_LPVOID pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels); + virtual void SetComponents(FX_DWORD nComponents) {m_nComponents = nComponents;} virtual ~CCodec_IccModule(); protected: CFX_MapByteStringToPtr m_MapTranform; CFX_MapByteStringToPtr m_MapProfile; + FX_DWORD m_nComponents; typedef enum { Icc_CLASS_INPUT = 0, Icc_CLASS_OUTPUT, diff --git a/core/src/fxcodec/codec/fx_codec_icc.cpp b/core/src/fxcodec/codec/fx_codec_icc.cpp index 22659ba9ff..b10d9c4868 100644 --- a/core/src/fxcodec/codec/fx_codec_icc.cpp +++ b/core/src/fxcodec/codec/fx_codec_icc.cpp @@ -147,7 +147,7 @@ void IccLib_DestroyTransform(void* pTransform) cmsDeleteTransform(((CLcmsCmm*)pTransform)->m_hTransform); delete (CLcmsCmm*)pTransform; } -void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) +void IccLib_Translate(void* pTransform, FX_DWORD nSrcComponents, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) { if (pTransform == NULL) { return; @@ -155,16 +155,16 @@ void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestVal CLcmsCmm* p = (CLcmsCmm*)pTransform; FX_BYTE output[4]; if (p->m_bLab) { - CFX_FixedBufGrow<double, 16> inputs(p->m_nSrcComponents); + CFX_FixedBufGrow<double, 16> inputs(nSrcComponents); double* input = inputs; - for (int i = 0; i < p->m_nSrcComponents; i ++) { + for (FX_DWORD i = 0; i < nSrcComponents; i ++) { input[i] = pSrcValues[i]; } cmsDoTransform(p->m_hTransform, input, output, 1); } else { - CFX_FixedBufGrow<FX_BYTE, 16> inputs(p->m_nSrcComponents); + CFX_FixedBufGrow<FX_BYTE, 16> inputs(nSrcComponents); FX_BYTE* input = inputs; - for (int i = 0; i < p->m_nSrcComponents; i ++) { + for (FX_DWORD i = 0; i < nSrcComponents; i ++) { if (pSrcValues[i] > 1.0f) { input[i] = 255; } else if (pSrcValues[i] < 0) { @@ -534,7 +534,7 @@ void CCodec_IccModule::DestroyTransform(void* pTransform) } void CCodec_IccModule::Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) { - IccLib_Translate(pTransform, pSrcValues, pDestValues); + IccLib_Translate(pTransform, m_nComponents, pSrcValues, pDestValues); } void CCodec_IccModule::TranslateScanline(void* pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels) { |