diff options
author | Oliver Chang <ochang@chromium.org> | 2016-04-18 12:47:23 -0700 |
---|---|---|
committer | Oliver Chang <ochang@chromium.org> | 2016-04-18 12:47:23 -0700 |
commit | c55fa129c73f4f52ca9d34e12f0e00ec16abf774 (patch) | |
tree | 795c84ff9ab2c3c6ab7e1312a46d31843bd3cf51 /core | |
parent | a57e3e13c1c0ea8e47746f5622f299bd3150eb48 (diff) | |
download | pdfium-c55fa129c73f4f52ca9d34e12f0e00ec16abf774.tar.xz |
Merge to M51: Prevent a potential OOB read in TranslateImageLine.
Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and
its CPDF_ColorSpace, from code attempting to recover from a failed decoder
initialisation in CPDF_DIBSource::CreateDecoder.
BUG=chromium:603518
TBR=tsepez@chromium.org
Original Review URL: https://codereview.chromium.org/1892143003
(cherry picked from commit 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41)
Review URL: https://codereview.chromium.org/1897953002 .
Diffstat (limited to 'core')
-rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | 11 | ||||
-rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp | 10 |
2 files changed, 16 insertions, 5 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp index 97f625f29f..74e102db32 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp @@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() { bpc, bTransform)) { if (m_nComponents != static_cast<uint32_t>(comps)) { FX_Free(m_pCompData); + m_pCompData = nullptr; m_nComponents = static_cast<uint32_t>(comps); - if (m_Family == PDFCS_LAB && m_nComponents != 3) { - m_pCompData = nullptr; + if (m_pColorSpace && + m_pColorSpace->CountComponents() != m_nComponents) + return 0; + if (m_Family == PDFCS_LAB && m_nComponents != 3) return 0; - } m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey); - if (!m_pCompData) { + if (!m_pCompData) return 0; - } } m_bpc = bpc; m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder( diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp index 427abb8e37..5c6a8c513f 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp @@ -27,3 +27,13 @@ TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_557223) { FPDFBitmap_Destroy(bitmap); UnloadPage(page); } + +TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_603518) { + // Should not crash + EXPECT_TRUE(OpenDocument("bug_603518.pdf")); + FPDF_PAGE page = LoadPage(0); + EXPECT_NE(nullptr, page); + FPDF_BITMAP bitmap = RenderPage(page); + FPDFBitmap_Destroy(bitmap); + UnloadPage(page); +} |