summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-02-14 11:56:37 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-02-14 18:28:22 +0000
commit7d4ccd7b5dd9ebb14e97ad35fb3bc093225b939a (patch)
tree9641facfa872657211574ed6ccd6dad0645fff53 /core
parent940f559b985d4a742c21b21cb077a232e44dd289 (diff)
downloadpdfium-7d4ccd7b5dd9ebb14e97ad35fb3bc093225b939a.tar.xz
Prevent heap-buffer-overflow in CCodec_ProgressiveDecoder
In CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback, m_pSrcPalette can be allocated size pal_num. So if pal_index >= pal_num, then bail out. BUG=691278 Change-Id: Ib0157cf51cbf52ecd5d60b027e5fc32898a906ed Reviewed-on: https://pdfium-review.googlesource.com/2699 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/codec/fx_codec_progress.cpp14
1 files changed, 7 insertions, 7 deletions
diff --git a/core/fxcodec/codec/fx_codec_progress.cpp b/core/fxcodec/codec/fx_codec_progress.cpp
index 386b66a7e6..4a1719f0f7 100644
--- a/core/fxcodec/codec/fx_codec_progress.cpp
+++ b/core/fxcodec/codec/fx_codec_progress.cpp
@@ -663,11 +663,10 @@ bool CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback(
pal_num = pCodec->m_GifPltNumber;
pPalette = pCodec->m_pGifPalette;
}
- if (!pCodec->m_pSrcPalette) {
+ if (!pCodec->m_pSrcPalette)
pCodec->m_pSrcPalette = FX_Alloc(FX_ARGB, pal_num);
- } else if (pal_num > pCodec->m_SrcPaletteNumber) {
+ else if (pal_num > pCodec->m_SrcPaletteNumber)
pCodec->m_pSrcPalette = FX_Realloc(FX_ARGB, pCodec->m_pSrcPalette, pal_num);
- }
if (!pCodec->m_pSrcPalette)
return false;
@@ -682,15 +681,16 @@ bool CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback(
pCodec->m_SrcPassNumber = interlace ? 4 : 1;
int32_t pal_index = pCodec->m_GifBgIndex;
CFX_DIBitmap* pDevice = pCodec->m_pDeviceBitmap;
- if (trans_index >= pal_num) {
+ if (trans_index >= pal_num)
trans_index = -1;
- }
if (trans_index != -1) {
pCodec->m_pSrcPalette[trans_index] &= 0x00ffffff;
- if (pDevice->HasAlpha()) {
+ if (pDevice->HasAlpha())
pal_index = trans_index;
- }
}
+ if (pal_index >= pal_num)
+ return false;
+
int startX = pCodec->m_startX;
int startY = pCodec->m_startY;
int sizeX = pCodec->m_sizeX;