Validate the Size dictionary entry in CPDF_SampledFunc.

It is required to be an array of positive integers. The existing
implementation seems to accommodate non-compliant PDFs where the Size
entry is an integer.

Change-Id: I58faa3f84ca627f189c67bab5884d4b1f9b105ca
Reviewed-on: https://pdfium-review.googlesource.com/31151
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>

1 files changed, 8 insertions, 3 deletions

diff --git a/core/fpdfapi/page/cpdf_sampledfunc.cpp b/core/fpdfapi/page/cpdf_sampledfunc.cpp
index 6ec87fc672..6039d630ef 100644
--- a/core/fpdfapi/page/cpdf_sampledfunc.cpp
+++ b/core/fpdfapi/page/cpdf_sampledfunc.cpp
@@ -44,6 +44,9 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj,
 
   const CPDF_Dictionary* pDict = pStream->GetDict();
   const CPDF_Array* pSize = pDict->GetArrayFor("Size");
+  if (!pSize || pSize->IsEmpty())
+    return false;
+
   const CPDF_Array* pEncode = pDict->GetArrayFor("Encode");
   const CPDF_Array* pDecode = pDict->GetArrayFor("Decode");
   m_nBitsPerSample = pDict->GetIntegerFor("BitsPerSample");
@@ -56,9 +59,11 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj,
   FX_SAFE_UINT32 nTotalSampleBits = 1;
   m_EncodeInfo.resize(m_nInputs);
   for (uint32_t i = 0; i < m_nInputs; i++) {
-    m_EncodeInfo[i].sizes = pSize ? pSize->GetIntegerAt(i) : 0;
-    if (!pSize && i == 0)
-      m_EncodeInfo[i].sizes = pDict->GetIntegerFor("Size");
+    int size = pSize->GetIntegerAt(i);
+    if (size <= 0)
+      return false;
+
+    m_EncodeInfo[i].sizes = size;
     nTotalSampleBits *= m_EncodeInfo[i].sizes;
     if (pEncode) {
       m_EncodeInfo[i].encode_min = pEncode->GetFloatAt(i * 2);