summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-04-19 16:46:04 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-04-19 16:46:04 +0000
commitc0043a8ccdf0768c2bd285f90e730645cb38a0c7 (patch)
tree5f0f077b8917118d3d20ce26a7865567e8299a43 /core
parentf24afac5e17e10f70336912ff85d8cb9c783f8a8 (diff)
downloadpdfium-c0043a8ccdf0768c2bd285f90e730645cb38a0c7.tar.xz
Validate the Range key in Functions.
They are required for type 0 and type 4 functions. The number of outputs should not be 0. Change-Id: I4cb1fa14a32ef0a1c92230d83461c697f389106f Reviewed-on: https://pdfium-review.googlesource.com/30931 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/page/cpdf_function.cpp16
1 files changed, 13 insertions, 3 deletions
diff --git a/core/fpdfapi/page/cpdf_function.cpp b/core/fpdfapi/page/cpdf_function.cpp
index ce119ca487..a43c887e71 100644
--- a/core/fpdfapi/page/cpdf_function.cpp
+++ b/core/fpdfapi/page/cpdf_function.cpp
@@ -98,14 +98,24 @@ bool CPDF_Function::Init(CPDF_Object* pObj, std::set<CPDF_Object*>* pVisited) {
}
CPDF_Array* pRanges = pDict->GetArrayFor("Range");
- m_nOutputs = 0;
- if (pRanges) {
- m_nOutputs = pRanges->GetCount() / 2;
+ m_nOutputs = pRanges ? pRanges->GetCount() / 2 : 0;
+
+ // Ranges are required for type 0 and type 4 functions. A non-zero
+ // |m_nOutputs| here implied Ranges meets the requirements.
+ {
+ bool bRangeRequired =
+ m_Type == Type::kType0Sampled || m_Type == Type::kType4PostScript;
+ if (bRangeRequired && m_nOutputs == 0)
+ return false;
+ }
+
+ if (m_nOutputs > 0) {
size_t nOutputs = m_nOutputs * 2;
m_pRanges = FX_Alloc(float, nOutputs);
for (size_t i = 0; i < nOutputs; ++i)
m_pRanges[i] = pRanges->GetFloatAt(i);
}
+
uint32_t old_outputs = m_nOutputs;
if (!v_Init(pObj, pVisited))
return false;