diff options
| author | Ryan Harrison <rharrison@chromium.org> | 2018-02-07 20:00:25 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-02-07 20:00:25 +0000 |
| commit | 6c67da092ce8bb384f60e2eae32e18b7283ae76e (patch) | |
| tree | 0c803c04d7313936e7a528f9bff715e0772d52a8 /core | |
| parent | ec7d8e21e72562d664e9596cb73bae6da8d6703c (diff) | |
| download | pdfium-6c67da092ce8bb384f60e2eae32e18b7283ae76e.tar.xz | |
Check that request sizes in ReadData don't overflow
When a very large, bogus value, was being passed in for the number of
bytes to read, this could cause an overflow in the check for if there
is data available.
BUG=chromium:809824
Change-Id: I54af6655b61d39275f3ae6fabb27be2bee3fef05
Reviewed-on: https://pdfium-review.googlesource.com/25871
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core')
| -rw-r--r-- | core/fxcodec/bmp/cfx_bmpdecompressor.cpp | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp index d5d96de65d..191df8e29a 100644 --- a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp +++ b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp @@ -12,6 +12,7 @@ #include "core/fxcodec/bmp/cfx_bmpcontext.h" #include "core/fxcrt/fx_system.h" #include "third_party/base/logging.h" +#include "third_party/base/numerics/safe_math.h" #include "third_party/base/ptr_util.h" namespace { @@ -629,12 +630,14 @@ int32_t CFX_BmpDecompressor::DecodeRLE4() { NOTREACHED(); } -uint8_t* CFX_BmpDecompressor::ReadData(uint8_t** des_buf, uint32_t data_size_) { - if (avail_in_ < skip_size_ + data_size_) +uint8_t* CFX_BmpDecompressor::ReadData(uint8_t** des_buf, uint32_t data_size) { + pdfium::base::CheckedNumeric<uint32_t> request_size = data_size; + request_size += skip_size_; + if (!request_size.IsValid() || avail_in_ < request_size.ValueOrDie()) return nullptr; *des_buf = next_in_ + skip_size_; - skip_size_ += data_size_; + skip_size_ += data_size; return *des_buf; } |