summaryrefslogtreecommitdiff
path: root/core/fxcodec
diff options
context:
space:
mode:
Diffstat (limited to 'core/fxcodec')
-rw-r--r--core/fxcodec/codec/fx_codec_fax.cpp13
1 files changed, 12 insertions, 1 deletions
diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp
index c0202829ee..11c42ade28 100644
--- a/core/fxcodec/codec/fx_codec_fax.cpp
+++ b/core/fxcodec/codec/fx_codec_fax.cpp
@@ -36,7 +36,11 @@ const uint8_t ZeroLeadPos[256] = {
4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 7, 8,
};
+// Limit of image dimension, an arbitrary large number.
+const int kMaxImageDimension = 0x01FFFF;
+
int FindBit(const uint8_t* data_buf, int max_pos, int start_pos, int bit) {
+ ASSERT(start_pos >= 0);
if (start_pos >= max_pos) {
return max_pos;
}
@@ -511,7 +515,7 @@ CCodec_FaxDecoder::CCodec_FaxDecoder(const uint8_t* src_buf,
m_OrigWidth = width;
if (m_OrigHeight == 0)
m_OrigHeight = height;
- // Should not overflow. Checked by FPDFAPI_CreateFaxDecoder.
+ // Should not overflow. Checked by CCodec_FaxDecoder::CreateDecoder.
m_Pitch = (static_cast<uint32_t>(m_OrigWidth) + 31) / 32 * 4;
m_OutputWidth = m_OrigWidth;
m_OutputHeight = m_OrigHeight;
@@ -624,6 +628,13 @@ CCodec_ScanlineDecoder* CCodec_FaxModule::CreateDecoder(
FX_BOOL BlackIs1,
int Columns,
int Rows) {
+ // Reject invalid values.
+ if (width <= 0 || height < 0 || Columns < 0 || Rows < 0)
+ return nullptr;
+ // Reject unreasonable large input.
+ if (width > kMaxImageDimension || height > kMaxImageDimension ||
+ Columns > kMaxImageDimension || Rows > kMaxImageDimension)
+ return nullptr;
return new CCodec_FaxDecoder(src_buf, src_size, width, height, K, EndOfLine,
EncodedByteAlign, BlackIs1, Columns, Rows);
}