Redo range check in CPDF_SampledFunc::v_Call().

The current |bitpos1| calculation protects the passed argument to _GetBits32(): |bitpos.ValueOrDie() + j * m_nBitsPerSample|, but doesn't account for adding in the sample length in that routine. Also bound bits per sample to something reasonable to avoid undefined behaviour on the shift to compute the max value. BUG=471990 R=jun_fang@foxitsoftware.com Review URL: https://codereview.chromium.org/1219663003.
author: Tom Sepez <tsepez@chromium.org> 2015-06-30 12:18:55 -0700
committer: Tom Sepez <tsepez@chromium.org> 2015-06-30 12:18:55 -0700
commit: 74742a75ac7a07c08cf36fe6f4eaa91bed8236a3 (patch)
tree: cd7863a159b4c8dd691aa280efee56158e1ee42e /testing
parent: c01c977c9c6e56faf709400547c9b085b8972024 (diff)
download: pdfium-74742a75ac7a07c08cf36fe6f4eaa91bed8236a3.tar.xz
2 files changed, 146 insertions, 0 deletions
diff --git a/testing/resources/bug_471990.in b/testing/resources/bug_471990.in
new file mode 100644
index 0000000000..7425405d27
--- /dev/null
+++ b/testing/resources/bug_471990.in
@@ -0,0 +1,56 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Kids [10 0 R]
+  /Count 1
+>>
+{{object 10 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /Resources <<
+    /ColorSpace <<
+      /cs1 20 0 R
+    >>
+  >>
+  /Contents 30 0 R
+  /MediaBox [0 0 842 1191]
+  /CropBox [123.307 198.425 718.693 992.575]
+>>
+endobj
+{{object 20 0}} [
+  /Separation /All
+  /DeviceCMYK 21 0 R
+]
+endobj
+{{object 21 0}} <<
+  /FunctionType 0
+  /BitsPerSample 536870910
+  /Range [0 1 0 1 0 1 0 1]
+  /Decode [0 1 0 1 0 1 0 1]
+  /Length 1073741823
+  /Encode [0 1]
+  /Domain [0 1]
+  /Size [2]
+>>
+stream
+endstream
+endobj
+{{object 30 0}} <<
+>>
+stream
+/cs1 cs
+0 scn
+endstream
+endobj
+{{xref}}
+trailer <<
+  /Root 1 0 R
+  /Size 30
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/bug_471990.pdf b/testing/resources/bug_471990.pdf
new file mode 100644
index 0000000000..8d8a3e22c0
--- /dev/null
+++ b/testing/resources/bug_471990.pdf
@@ -0,0 +1,90 @@
+%PDF-1.7
+%���
+1 0 obj <<
+  /Type /Catalog
+  /Pages 2 0 R
+>>
+endobj
+2 0 obj <<
+  /Type /Pages
+  /Kids [10 0 R]
+  /Count 1
+>>
+10 0 obj <<
+  /Type /Page
+  /Parent 2 0 R
+  /Resources <<
+    /ColorSpace <<
+      /cs1 20 0 R
+    >>
+  >>
+  /Contents 30 0 R
+  /MediaBox [0 0 842 1191]
+  /CropBox [123.307 198.425 718.693 992.575]
+>>
+endobj
+20 0 obj [
+  /Separation /All
+  /DeviceCMYK 21 0 R
+]
+endobj
+21 0 obj <<
+  /FunctionType 0
+  /BitsPerSample 536870910
+  /Range [0 1 0 1 0 1 0 1]
+  /Decode [0 1 0 1 0 1 0 1]
+  /Length 1073741823
+  /Encode [0 1]
+  /Domain [0 1]
+  /Size [2]
+>>
+stream
+endstream
+endobj
+30 0 obj <<
+>>
+stream
+/cs1 cs
+0 scn
+endstream
+endobj
+xref
+0 31
+0000000000 65535 f 
+0000000015 00000 n 
+0000000068 00000 n 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000125 00000 n 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000333 00000 n 
+0000000393 00000 n 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000000 65535 f 
+0000000597 00000 n 
+trailer <<
+  /Root 1 0 R
+  /Size 30
+>>
+startxref
+650
+%%EOF
author	Tom Sepez <tsepez@chromium.org>	2015-06-30 12:18:55 -0700
committer	Tom Sepez <tsepez@chromium.org>	2015-06-30 12:18:55 -0700
commit	74742a75ac7a07c08cf36fe6f4eaa91bed8236a3 (patch)
tree	cd7863a159b4c8dd691aa280efee56158e1ee42e /testing
parent	c01c977c9c6e56faf709400547c9b085b8972024 (diff)
download	pdfium-74742a75ac7a07c08cf36fe6f4eaa91bed8236a3.tar.xz