summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-09-20 16:23:02 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-09-20 16:23:02 +0000
commit34cdc8f393130985e1a3aa21ee09a4008ec88bdd (patch)
tree84076024fa1bef0709ef1ad33146c16c1503300d /core
parentb739b4a9cbc991261627a51cba24907b5d0a8dd4 (diff)
downloadpdfium-34cdc8f393130985e1a3aa21ee09a4008ec88bdd.tar.xz
Validate some image data in CPDF_Image::InitJPEG().
Change-Id: I55e840667acfda831488d75efc97504355813dd1 Reviewed-on: https://pdfium-review.googlesource.com/42850 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/page/cpdf_image.cpp14
1 files changed, 14 insertions, 0 deletions
diff --git a/core/fpdfapi/page/cpdf_image.cpp b/core/fpdfapi/page/cpdf_image.cpp
index 9fdfa76710..85e7d8a038 100644
--- a/core/fpdfapi/page/cpdf_image.cpp
+++ b/core/fpdfapi/page/cpdf_image.cpp
@@ -32,6 +32,18 @@
#include "third_party/base/numerics/safe_conversions.h"
#include "third_party/base/ptr_util.h"
+namespace {
+
+bool IsValidJpegComponent(int32_t comps) {
+ return comps == 1 || comps == 3 || comps == 4;
+}
+
+bool IsValidJpegBitsPerComponent(int32_t bpc) {
+ return bpc == 1 || bpc == 2 || bpc == 4 || bpc == 8 || bpc == 16;
+}
+
+} // namespace
+
CPDF_Image::CPDF_Image(CPDF_Document* pDoc) : m_pDocument(pDoc) {}
CPDF_Image::CPDF_Image(CPDF_Document* pDoc,
@@ -82,6 +94,8 @@ std::unique_ptr<CPDF_Dictionary> CPDF_Image::InitJPEG(
src_span, &width, &height, &num_comps, &bits, &color_trans)) {
return nullptr;
}
+ if (!IsValidJpegComponent(num_comps) || !IsValidJpegBitsPerComponent(bits))
+ return nullptr;
auto pDict =
pdfium::MakeUnique<CPDF_Dictionary>(m_pDocument->GetByteStringPool());