summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorOliver Chang <ochang@chromium.org>2016-04-18 12:47:23 -0700
committerOliver Chang <ochang@chromium.org>2016-04-18 12:47:23 -0700
commitc55fa129c73f4f52ca9d34e12f0e00ec16abf774 (patch)
tree795c84ff9ab2c3c6ab7e1312a46d31843bd3cf51 /core
parenta57e3e13c1c0ea8e47746f5622f299bd3150eb48 (diff)
downloadpdfium-c55fa129c73f4f52ca9d34e12f0e00ec16abf774.tar.xz
Merge to M51: Prevent a potential OOB read in TranslateImageLine.
Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and its CPDF_ColorSpace, from code attempting to recover from a failed decoder initialisation in CPDF_DIBSource::CreateDecoder. BUG=chromium:603518 TBR=tsepez@chromium.org Original Review URL: https://codereview.chromium.org/1892143003 (cherry picked from commit 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41) Review URL: https://codereview.chromium.org/1897953002 .
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp11
-rw-r--r--core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp10
2 files changed, 16 insertions, 5 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
index 97f625f29f..74e102db32 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
@@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() {
bpc, bTransform)) {
if (m_nComponents != static_cast<uint32_t>(comps)) {
FX_Free(m_pCompData);
+ m_pCompData = nullptr;
m_nComponents = static_cast<uint32_t>(comps);
- if (m_Family == PDFCS_LAB && m_nComponents != 3) {
- m_pCompData = nullptr;
+ if (m_pColorSpace &&
+ m_pColorSpace->CountComponents() != m_nComponents)
+ return 0;
+ if (m_Family == PDFCS_LAB && m_nComponents != 3)
return 0;
- }
m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey);
- if (!m_pCompData) {
+ if (!m_pCompData)
return 0;
- }
}
m_bpc = bpc;
m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder(
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
index 427abb8e37..5c6a8c513f 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
@@ -27,3 +27,13 @@ TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_557223) {
FPDFBitmap_Destroy(bitmap);
UnloadPage(page);
}
+
+TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_603518) {
+ // Should not crash
+ EXPECT_TRUE(OpenDocument("bug_603518.pdf"));
+ FPDF_PAGE page = LoadPage(0);
+ EXPECT_NE(nullptr, page);
+ FPDF_BITMAP bitmap = RenderPage(page);
+ FPDFBitmap_Destroy(bitmap);
+ UnloadPage(page);
+}