From 34cdc8f393130985e1a3aa21ee09a4008ec88bdd Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 20 Sep 2018 16:23:02 +0000
Subject: Validate some image data in CPDF_Image::InitJPEG().

Change-Id: I55e840667acfda831488d75efc97504355813dd1
Reviewed-on: https://pdfium-review.googlesource.com/42850
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 core/fpdfapi/page/cpdf_image.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/core/fpdfapi/page/cpdf_image.cpp b/core/fpdfapi/page/cpdf_image.cpp
index 9fdfa76710..85e7d8a038 100644
--- a/core/fpdfapi/page/cpdf_image.cpp
+++ b/core/fpdfapi/page/cpdf_image.cpp
@@ -32,6 +32,18 @@
 #include "third_party/base/numerics/safe_conversions.h"
 #include "third_party/base/ptr_util.h"
 
+namespace {
+
+bool IsValidJpegComponent(int32_t comps) {
+  return comps == 1 || comps == 3 || comps == 4;
+}
+
+bool IsValidJpegBitsPerComponent(int32_t bpc) {
+  return bpc == 1 || bpc == 2 || bpc == 4 || bpc == 8 || bpc == 16;
+}
+
+}  // namespace
+
 CPDF_Image::CPDF_Image(CPDF_Document* pDoc) : m_pDocument(pDoc) {}
 
 CPDF_Image::CPDF_Image(CPDF_Document* pDoc,
@@ -82,6 +94,8 @@ std::unique_ptr<CPDF_Dictionary> CPDF_Image::InitJPEG(
           src_span, &width, &height, &num_comps, &bits, &color_trans)) {
     return nullptr;
   }
+  if (!IsValidJpegComponent(num_comps) || !IsValidJpegBitsPerComponent(bits))
+    return nullptr;
 
   auto pDict =
       pdfium::MakeUnique<CPDF_Dictionary>(m_pDocument->GetByteStringPool());
-- 
cgit v1.2.3