From 3e4b1bc1ac4eb8372a90f95edd69131e54240976 Mon Sep 17 00:00:00 2001 From: foxit Date: Fri, 20 Jun 2014 16:48:43 -0700 Subject: Stack-buffer-overflow in IccLib_Translate BUG=382240 R=palmer@chromium.org Review URL: https://codereview.chromium.org/332143002 --- core/include/fxcodec/fx_codec.h | 1 + core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 1 + core/src/fxcodec/codec/codec_int.h | 2 ++ core/src/fxcodec/codec/fx_codec_icc.cpp | 12 ++++++------ 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/core/include/fxcodec/fx_codec.h b/core/include/fxcodec/fx_codec.h index e215bb1d79..ac3f71e7bb 100644 --- a/core/include/fxcodec/fx_codec.h +++ b/core/include/fxcodec/fx_codec.h @@ -281,6 +281,7 @@ public: virtual void Translate(FX_LPVOID pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) = 0; virtual void TranslateScanline(FX_LPVOID pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels) = 0; + virtual void SetComponents(FX_DWORD nComponents) = 0; }; void AdobeCMYK_to_sRGB(FX_FLOAT c, FX_FLOAT m, FX_FLOAT y, FX_FLOAT k, FX_FLOAT& R, FX_FLOAT& G, FX_FLOAT& B); void AdobeCMYK_to_sRGB1(FX_BYTE c, FX_BYTE m, FX_BYTE y, FX_BYTE k, FX_BYTE& R, FX_BYTE& G, FX_BYTE& B); diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index 8c274b2607..c13395c7ce 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -642,6 +642,7 @@ FX_BOOL CPDF_ICCBasedCS::GetRGB(FX_FLOAT* pBuf, FX_FLOAT& R, FX_FLOAT& G, FX_FLO return TRUE; } FX_FLOAT rgb[3]; + pIccModule->SetComponents(m_nComponents); pIccModule->Translate(m_pProfile->m_pTransform, pBuf, rgb); R = rgb[0]; G = rgb[1]; diff --git a/core/src/fxcodec/codec/codec_int.h b/core/src/fxcodec/codec/codec_int.h index 638d96db85..47f2c8e1fe 100644 --- a/core/src/fxcodec/codec/codec_int.h +++ b/core/src/fxcodec/codec/codec_int.h @@ -172,10 +172,12 @@ public: virtual void DestroyTransform(FX_LPVOID pTransform); virtual void Translate(FX_LPVOID pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues); virtual void TranslateScanline(FX_LPVOID pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels); + virtual void SetComponents(FX_DWORD nComponents) {m_nComponents = nComponents;} virtual ~CCodec_IccModule(); protected: CFX_MapByteStringToPtr m_MapTranform; CFX_MapByteStringToPtr m_MapProfile; + FX_DWORD m_nComponents; typedef enum { Icc_CLASS_INPUT = 0, Icc_CLASS_OUTPUT, diff --git a/core/src/fxcodec/codec/fx_codec_icc.cpp b/core/src/fxcodec/codec/fx_codec_icc.cpp index 22659ba9ff..b10d9c4868 100644 --- a/core/src/fxcodec/codec/fx_codec_icc.cpp +++ b/core/src/fxcodec/codec/fx_codec_icc.cpp @@ -147,7 +147,7 @@ void IccLib_DestroyTransform(void* pTransform) cmsDeleteTransform(((CLcmsCmm*)pTransform)->m_hTransform); delete (CLcmsCmm*)pTransform; } -void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) +void IccLib_Translate(void* pTransform, FX_DWORD nSrcComponents, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) { if (pTransform == NULL) { return; @@ -155,16 +155,16 @@ void IccLib_Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestVal CLcmsCmm* p = (CLcmsCmm*)pTransform; FX_BYTE output[4]; if (p->m_bLab) { - CFX_FixedBufGrow inputs(p->m_nSrcComponents); + CFX_FixedBufGrow inputs(nSrcComponents); double* input = inputs; - for (int i = 0; i < p->m_nSrcComponents; i ++) { + for (FX_DWORD i = 0; i < nSrcComponents; i ++) { input[i] = pSrcValues[i]; } cmsDoTransform(p->m_hTransform, input, output, 1); } else { - CFX_FixedBufGrow inputs(p->m_nSrcComponents); + CFX_FixedBufGrow inputs(nSrcComponents); FX_BYTE* input = inputs; - for (int i = 0; i < p->m_nSrcComponents; i ++) { + for (FX_DWORD i = 0; i < nSrcComponents; i ++) { if (pSrcValues[i] > 1.0f) { input[i] = 255; } else if (pSrcValues[i] < 0) { @@ -534,7 +534,7 @@ void CCodec_IccModule::DestroyTransform(void* pTransform) } void CCodec_IccModule::Translate(void* pTransform, FX_FLOAT* pSrcValues, FX_FLOAT* pDestValues) { - IccLib_Translate(pTransform, pSrcValues, pDestValues); + IccLib_Translate(pTransform, m_nComponents, pSrcValues, pDestValues); } void CCodec_IccModule::TranslateScanline(void* pTransform, FX_LPBYTE pDest, FX_LPCBYTE pSrc, int pixels) { -- cgit v1.2.3