From 4dd613cb51c1d77ac2998f760325ed5b93f4ebf0 Mon Sep 17 00:00:00 2001 From: kcwu Date: Fri, 23 Sep 2016 09:26:51 -0700 Subject: Bail out on bad width and height in CCodec_FaxDecoder::CreateDecoder BUG=648935,649436 Review-Url: https://codereview.chromium.org/2360283004 --- core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp | 3 --- core/fxcodec/codec/fx_codec_fax.cpp | 13 ++++++++++++- testing/libfuzzer/pdf_codec_fax_fuzzer.cc | 8 +++++--- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp b/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp index 72a9518ca9..1b5bd024f8 100644 --- a/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp +++ b/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp @@ -248,9 +248,6 @@ CCodec_ScanlineDecoder* FPDFAPI_CreateFaxDecoder( if (Rows > USHRT_MAX) { Rows = 0; } - if (Columns <= 0 || Rows < 0 || Columns > USHRT_MAX || Rows > USHRT_MAX) { - return nullptr; - } } return CPDF_ModuleMgr::Get()->GetFaxModule()->CreateDecoder( src_buf, src_size, width, height, K, EndOfLine, ByteAlign, BlackIs1, diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp index c0202829ee..11c42ade28 100644 --- a/core/fxcodec/codec/fx_codec_fax.cpp +++ b/core/fxcodec/codec/fx_codec_fax.cpp @@ -36,7 +36,11 @@ const uint8_t ZeroLeadPos[256] = { 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 7, 8, }; +// Limit of image dimension, an arbitrary large number. +const int kMaxImageDimension = 0x01FFFF; + int FindBit(const uint8_t* data_buf, int max_pos, int start_pos, int bit) { + ASSERT(start_pos >= 0); if (start_pos >= max_pos) { return max_pos; } @@ -511,7 +515,7 @@ CCodec_FaxDecoder::CCodec_FaxDecoder(const uint8_t* src_buf, m_OrigWidth = width; if (m_OrigHeight == 0) m_OrigHeight = height; - // Should not overflow. Checked by FPDFAPI_CreateFaxDecoder. + // Should not overflow. Checked by CCodec_FaxDecoder::CreateDecoder. m_Pitch = (static_cast(m_OrigWidth) + 31) / 32 * 4; m_OutputWidth = m_OrigWidth; m_OutputHeight = m_OrigHeight; @@ -624,6 +628,13 @@ CCodec_ScanlineDecoder* CCodec_FaxModule::CreateDecoder( FX_BOOL BlackIs1, int Columns, int Rows) { + // Reject invalid values. + if (width <= 0 || height < 0 || Columns < 0 || Rows < 0) + return nullptr; + // Reject unreasonable large input. + if (width > kMaxImageDimension || height > kMaxImageDimension || + Columns > kMaxImageDimension || Rows > kMaxImageDimension) + return nullptr; return new CCodec_FaxDecoder(src_buf, src_size, width, height, K, EndOfLine, EncodedByteAlign, BlackIs1, Columns, Rows); } diff --git a/testing/libfuzzer/pdf_codec_fax_fuzzer.cc b/testing/libfuzzer/pdf_codec_fax_fuzzer.cc index 1a04c31aa0..60e2c9ff19 100644 --- a/testing/libfuzzer/pdf_codec_fax_fuzzer.cc +++ b/testing/libfuzzer/pdf_codec_fax_fuzzer.cc @@ -34,9 +34,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { EndOfLine, ByteAlign, BlackIs1, Columns, Rows)); - int line = 0; - while (decoder->GetScanline(line)) - line++; + if (decoder) { + int line = 0; + while (decoder->GetScanline(line)) + line++; + } return 0; } -- cgit v1.2.3