summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2015-06-30 12:18:55 -0700
committerTom Sepez <tsepez@chromium.org>2015-06-30 12:18:55 -0700
commit74742a75ac7a07c08cf36fe6f4eaa91bed8236a3 (patch)
treecd7863a159b4c8dd691aa280efee56158e1ee42e /core
parentc01c977c9c6e56faf709400547c9b085b8972024 (diff)
downloadpdfium-74742a75ac7a07c08cf36fe6f4eaa91bed8236a3.tar.xz
Redo range check in CPDF_SampledFunc::v_Call().
The current |bitpos1| calculation protects the passed argument to _GetBits32(): |bitpos.ValueOrDie() + j * m_nBitsPerSample|, but doesn't account for adding in the sample length in that routine. Also bound bits per sample to something reasonable to avoid undefined behaviour on the shift to compute the max value. BUG=471990 R=jun_fang@foxitsoftware.com Review URL: https://codereview.chromium.org/1219663003.
Diffstat (limited to 'core')
-rw-r--r--core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp25
1 files changed, 16 insertions, 9 deletions
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp
index f115b6770d..e691f3ab10 100644
--- a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp
+++ b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp
@@ -449,7 +449,8 @@ public:
virtual FX_BOOL v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const;
SampleEncodeInfo* m_pEncodeInfo;
SampleDecodeInfo* m_pDecodeInfo;
- FX_DWORD m_nBitsPerSample, m_SampleMax;
+ FX_DWORD m_nBitsPerSample;
+ FX_DWORD m_SampleMax;
CPDF_StreamAcc* m_pSampleStream;
};
CPDF_SampledFunc::CPDF_SampledFunc()
@@ -479,6 +480,9 @@ FX_BOOL CPDF_SampledFunc::v_Init(CPDF_Object* pObj)
CPDF_Array* pEncode = pDict->GetArray(FX_BSTRC("Encode"));
CPDF_Array* pDecode = pDict->GetArray(FX_BSTRC("Decode"));
m_nBitsPerSample = pDict->GetInteger(FX_BSTRC("BitsPerSample"));
+ if (m_nBitsPerSample > 32) {
+ return FALSE;
+ }
m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample);
m_pSampleStream = new CPDF_StreamAcc;
m_pSampleStream->LoadAllData(pStream, FALSE);
@@ -553,20 +557,23 @@ FX_BOOL CPDF_SampledFunc::v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const
}
pos += index[i] * blocksize[i];
}
+ FX_SAFE_INT32 bits_to_output = m_nOutputs;
+ bits_to_output *= m_nBitsPerSample;
+ if (!bits_to_output.IsValid()) {
+ return FALSE;
+ }
FX_SAFE_INT32 bitpos = pos;
- bitpos *= m_nBitsPerSample;
- bitpos *= m_nOutputs;
+ bitpos *= bits_to_output.ValueOrDie();
if (!bitpos.IsValid()) {
return FALSE;
}
- const uint8_t* pSampleData = m_pSampleStream->GetData();
- if (pSampleData == NULL) {
+ FX_SAFE_INT32 range_check = bitpos;
+ range_check += bits_to_output.ValueOrDie();
+ if (!range_check.IsValid()) {
return FALSE;
}
- FX_SAFE_INT32 bitpos1 = m_nOutputs - 1 > 0 ? m_nOutputs - 1 : 0;
- bitpos1 *= m_nBitsPerSample;
- bitpos1 += bitpos.ValueOrDie();
- if (!bitpos1.IsValid()) {
+ const uint8_t* pSampleData = m_pSampleStream->GetData();
+ if (!pSampleData) {
return FALSE;
}
for (int j = 0; j < m_nOutputs; j ++) {