diff options
author | Lei Zhang <thestig@chromium.org> | 2018-04-19 16:46:04 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-19 16:46:04 +0000 |
commit | c0043a8ccdf0768c2bd285f90e730645cb38a0c7 (patch) | |
tree | 5f0f077b8917118d3d20ce26a7865567e8299a43 /core | |
parent | f24afac5e17e10f70336912ff85d8cb9c783f8a8 (diff) | |
download | pdfium-c0043a8ccdf0768c2bd285f90e730645cb38a0c7.tar.xz |
Validate the Range key in Functions.
They are required for type 0 and type 4 functions. The number of outputs
should not be 0.
Change-Id: I4cb1fa14a32ef0a1c92230d83461c697f389106f
Reviewed-on: https://pdfium-review.googlesource.com/30931
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/fpdfapi/page/cpdf_function.cpp | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/core/fpdfapi/page/cpdf_function.cpp b/core/fpdfapi/page/cpdf_function.cpp index ce119ca487..a43c887e71 100644 --- a/core/fpdfapi/page/cpdf_function.cpp +++ b/core/fpdfapi/page/cpdf_function.cpp @@ -98,14 +98,24 @@ bool CPDF_Function::Init(CPDF_Object* pObj, std::set<CPDF_Object*>* pVisited) { } CPDF_Array* pRanges = pDict->GetArrayFor("Range"); - m_nOutputs = 0; - if (pRanges) { - m_nOutputs = pRanges->GetCount() / 2; + m_nOutputs = pRanges ? pRanges->GetCount() / 2 : 0; + + // Ranges are required for type 0 and type 4 functions. A non-zero + // |m_nOutputs| here implied Ranges meets the requirements. + { + bool bRangeRequired = + m_Type == Type::kType0Sampled || m_Type == Type::kType4PostScript; + if (bRangeRequired && m_nOutputs == 0) + return false; + } + + if (m_nOutputs > 0) { size_t nOutputs = m_nOutputs * 2; m_pRanges = FX_Alloc(float, nOutputs); for (size_t i = 0; i < nOutputs; ++i) m_pRanges[i] = pRanges->GetFloatAt(i); } + uint32_t old_outputs = m_nOutputs; if (!v_Init(pObj, pVisited)) return false; |