diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-06-30 12:18:55 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-06-30 12:18:55 -0700 |
commit | 74742a75ac7a07c08cf36fe6f4eaa91bed8236a3 (patch) | |
tree | cd7863a159b4c8dd691aa280efee56158e1ee42e /core | |
parent | c01c977c9c6e56faf709400547c9b085b8972024 (diff) | |
download | pdfium-74742a75ac7a07c08cf36fe6f4eaa91bed8236a3.tar.xz |
Redo range check in CPDF_SampledFunc::v_Call().
The current |bitpos1| calculation protects the passed argument to
_GetBits32(): |bitpos.ValueOrDie() + j * m_nBitsPerSample|, but doesn't
account for adding in the sample length in that routine.
Also bound bits per sample to something reasonable to avoid undefined
behaviour on the shift to compute the max value.
BUG=471990
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/1219663003.
Diffstat (limited to 'core')
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp index f115b6770d..e691f3ab10 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp @@ -449,7 +449,8 @@ public: virtual FX_BOOL v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const; SampleEncodeInfo* m_pEncodeInfo; SampleDecodeInfo* m_pDecodeInfo; - FX_DWORD m_nBitsPerSample, m_SampleMax; + FX_DWORD m_nBitsPerSample; + FX_DWORD m_SampleMax; CPDF_StreamAcc* m_pSampleStream; }; CPDF_SampledFunc::CPDF_SampledFunc() @@ -479,6 +480,9 @@ FX_BOOL CPDF_SampledFunc::v_Init(CPDF_Object* pObj) CPDF_Array* pEncode = pDict->GetArray(FX_BSTRC("Encode")); CPDF_Array* pDecode = pDict->GetArray(FX_BSTRC("Decode")); m_nBitsPerSample = pDict->GetInteger(FX_BSTRC("BitsPerSample")); + if (m_nBitsPerSample > 32) { + return FALSE; + } m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample); m_pSampleStream = new CPDF_StreamAcc; m_pSampleStream->LoadAllData(pStream, FALSE); @@ -553,20 +557,23 @@ FX_BOOL CPDF_SampledFunc::v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const } pos += index[i] * blocksize[i]; } + FX_SAFE_INT32 bits_to_output = m_nOutputs; + bits_to_output *= m_nBitsPerSample; + if (!bits_to_output.IsValid()) { + return FALSE; + } FX_SAFE_INT32 bitpos = pos; - bitpos *= m_nBitsPerSample; - bitpos *= m_nOutputs; + bitpos *= bits_to_output.ValueOrDie(); if (!bitpos.IsValid()) { return FALSE; } - const uint8_t* pSampleData = m_pSampleStream->GetData(); - if (pSampleData == NULL) { + FX_SAFE_INT32 range_check = bitpos; + range_check += bits_to_output.ValueOrDie(); + if (!range_check.IsValid()) { return FALSE; } - FX_SAFE_INT32 bitpos1 = m_nOutputs - 1 > 0 ? m_nOutputs - 1 : 0; - bitpos1 *= m_nBitsPerSample; - bitpos1 += bitpos.ValueOrDie(); - if (!bitpos1.IsValid()) { + const uint8_t* pSampleData = m_pSampleStream->GetData(); + if (!pSampleData) { return FALSE; } for (int j = 0; j < m_nOutputs; j ++) { |