diff options
-rw-r--r-- | core/fpdfapi/page/cpdf_streamparser.cpp | 47 |
1 files changed, 21 insertions, 26 deletions
diff --git a/core/fpdfapi/page/cpdf_streamparser.cpp b/core/fpdfapi/page/cpdf_streamparser.cpp index 88b3993327..a64e14d741 100644 --- a/core/fpdfapi/page/cpdf_streamparser.cpp +++ b/core/fpdfapi/page/cpdf_streamparser.cpp @@ -29,6 +29,7 @@ #include "core/fpdfapi/parser/fpdf_parser_utility.h" #include "core/fxcodec/codec/ccodec_jpegmodule.h" #include "core/fxcodec/codec/ccodec_scanlinedecoder.h" +#include "core/fxcodec/fx_codec.h" #include "core/fxcrt/fx_extension.h" namespace { @@ -36,27 +37,26 @@ namespace { const uint32_t kMaxNestedParsingLevel = 512; const size_t kMaxStringLength = 32767; -uint32_t DecodeAllScanlines(std::unique_ptr<CCodec_ScanlineDecoder> pDecoder, - uint8_t** dest_buf, - uint32_t* dest_size) { +uint32_t DecodeAllScanlines(std::unique_ptr<CCodec_ScanlineDecoder> pDecoder) { if (!pDecoder) return FX_INVALID_OFFSET; + int ncomps = pDecoder->CountComps(); int bpc = pDecoder->GetBPC(); int width = pDecoder->GetWidth(); int height = pDecoder->GetHeight(); - int pitch = (width * ncomps * bpc + 7) / 8; - if (height == 0 || pitch > (1 << 30) / height) + if (width <= 0 || height <= 0) + return FX_INVALID_OFFSET; + + FX_SAFE_UINT32 size = CalculatePitch8(bpc, ncomps, width); + size *= height; + if (size.ValueOrDefault(0) == 0) return FX_INVALID_OFFSET; - *dest_buf = FX_Alloc2D(uint8_t, pitch, height); - *dest_size = pitch * height; // Safe since checked alloc returned. for (int row = 0; row < height; ++row) { - const uint8_t* pLine = pDecoder->GetScanline(row); - if (!pLine) + if (!pDecoder->GetScanline(row)) break; - memcpy(*dest_buf + row * pitch, pLine, pitch); } return pDecoder->GetSrcOffset(); } @@ -66,38 +66,36 @@ uint32_t DecodeInlineStream(pdfium::span<const uint8_t> src_span, int height, const ByteString& decoder, CPDF_Dictionary* pParam, - uint8_t** dest_buf, - uint32_t* dest_size) { - *dest_buf = nullptr; - *dest_size = 0; + uint32_t orig_size) { std::unique_ptr<uint8_t, FxFreeDeleter> ignored_result; + uint32_t ignored_size; if (decoder == "FlateDecode" || decoder == "Fl") { - return FlateOrLZWDecode(false, src_span, pParam, *dest_size, - &ignored_result, dest_size); + return FlateOrLZWDecode(false, src_span, pParam, orig_size, &ignored_result, + &ignored_size); } if (decoder == "LZWDecode" || decoder == "LZW") { return FlateOrLZWDecode(true, src_span, pParam, 0, &ignored_result, - dest_size); + &ignored_size); } if (decoder == "DCTDecode" || decoder == "DCT") { std::unique_ptr<CCodec_ScanlineDecoder> pDecoder = CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder( src_span, width, height, 0, !pParam || pParam->GetIntegerFor("ColorTransform", 1)); - return DecodeAllScanlines(std::move(pDecoder), dest_buf, dest_size); + return DecodeAllScanlines(std::move(pDecoder)); } if (decoder == "CCITTFaxDecode" || decoder == "CCF") { std::unique_ptr<CCodec_ScanlineDecoder> pDecoder = CreateFaxDecoder(src_span, width, height, pParam); - return DecodeAllScanlines(std::move(pDecoder), dest_buf, dest_size); + return DecodeAllScanlines(std::move(pDecoder)); } if (decoder == "ASCII85Decode" || decoder == "A85") - return A85Decode(src_span, &ignored_result, dest_size); + return A85Decode(src_span, &ignored_result, &ignored_size); if (decoder == "ASCIIHexDecode" || decoder == "AHx") - return HexDecode(src_span, &ignored_result, dest_size); + return HexDecode(src_span, &ignored_result, &ignored_size); if (decoder == "RunLengthDecode" || decoder == "RL") - return RunLengthDecode(src_span, &ignored_result, dest_size); + return RunLengthDecode(src_span, &ignored_result, &ignored_size); return FX_INVALID_OFFSET; } @@ -186,11 +184,8 @@ std::unique_ptr<CPDF_Stream> CPDF_StreamParser::ReadInlineStream( dwStreamSize = OrigSize; m_Pos += OrigSize; } else { - uint8_t* pIgnore = nullptr; - uint32_t dwDestSize = OrigSize; dwStreamSize = DecodeInlineStream(m_pBuf.subspan(m_Pos), width, height, - Decoder, pParam, &pIgnore, &dwDestSize); - FX_Free(pIgnore); + Decoder, pParam, OrigSize); if (static_cast<int>(dwStreamSize) < 0) return nullptr; |