Redo range check in CPDF_SampledFunc::v_Call().

The current |bitpos1| calculation protects the passed argument to
_GetBits32(): |bitpos.ValueOrDie() + j * m_nBitsPerSample|, but doesn't
account for adding in the sample length in that routine.

Also bound bits per sample to something reasonable to avoid undefined
behaviour on the shift to compute the max value.

BUG=471990
R=jun_fang@foxitsoftware.com

Review URL: https://codereview.chromium.org/1219663003.

1 files changed, 56 insertions, 0 deletions

diff --git a/testing/resources/bug_471990.in b/testing/resources/bug_471990.in
new file mode 100644
index 0000000000..7425405d27
--- /dev/null
+++ b/testing/resources/bug_471990.in
@@ -0,0 +1,56 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Kids [10 0 R]
+  /Count 1
+>>
+{{object 10 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /Resources <<
+    /ColorSpace <<
+      /cs1 20 0 R
+    >>
+  >>
+  /Contents 30 0 R
+  /MediaBox [0 0 842 1191]
+  /CropBox [123.307 198.425 718.693 992.575]
+>>
+endobj
+{{object 20 0}} [
+  /Separation /All
+  /DeviceCMYK 21 0 R
+]
+endobj
+{{object 21 0}} <<
+  /FunctionType 0
+  /BitsPerSample 536870910
+  /Range [0 1 0 1 0 1 0 1]
+  /Decode [0 1 0 1 0 1 0 1]
+  /Length 1073741823
+  /Encode [0 1]
+  /Domain [0 1]
+  /Size [2]
+>>
+stream
+endstream
+endobj
+{{object 30 0}} <<
+>>
+stream
+/cs1 cs
+0 scn
+endstream
+endobj
+{{xref}}
+trailer <<
+  /Root 1 0 R
+  /Size 30
+>>
+{{startxref}}
+%%EOF