From 4dd613cb51c1d77ac2998f760325ed5b93f4ebf0 Mon Sep 17 00:00:00 2001
From: kcwu <kcwu@chromium.org>
Date: Fri, 23 Sep 2016 09:26:51 -0700
Subject: Bail out on bad width and height in CCodec_FaxDecoder::CreateDecoder

BUG=648935,649436

Review-Url: https://codereview.chromium.org/2360283004
---
 core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp |  3 ---
 core/fxcodec/codec/fx_codec_fax.cpp             | 13 ++++++++++++-
 testing/libfuzzer/pdf_codec_fax_fuzzer.cc       |  8 +++++---
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp b/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
index 72a9518ca9..1b5bd024f8 100644
--- a/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
+++ b/core/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
@@ -248,9 +248,6 @@ CCodec_ScanlineDecoder* FPDFAPI_CreateFaxDecoder(
     if (Rows > USHRT_MAX) {
       Rows = 0;
     }
-    if (Columns <= 0 || Rows < 0 || Columns > USHRT_MAX || Rows > USHRT_MAX) {
-      return nullptr;
-    }
   }
   return CPDF_ModuleMgr::Get()->GetFaxModule()->CreateDecoder(
       src_buf, src_size, width, height, K, EndOfLine, ByteAlign, BlackIs1,
diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp
index c0202829ee..11c42ade28 100644
--- a/core/fxcodec/codec/fx_codec_fax.cpp
+++ b/core/fxcodec/codec/fx_codec_fax.cpp
@@ -36,7 +36,11 @@ const uint8_t ZeroLeadPos[256] = {
     4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 7, 8,
 };
 
+// Limit of image dimension, an arbitrary large number.
+const int kMaxImageDimension = 0x01FFFF;
+
 int FindBit(const uint8_t* data_buf, int max_pos, int start_pos, int bit) {
+  ASSERT(start_pos >= 0);
   if (start_pos >= max_pos) {
     return max_pos;
   }
@@ -511,7 +515,7 @@ CCodec_FaxDecoder::CCodec_FaxDecoder(const uint8_t* src_buf,
     m_OrigWidth = width;
   if (m_OrigHeight == 0)
     m_OrigHeight = height;
-  // Should not overflow. Checked by FPDFAPI_CreateFaxDecoder.
+  // Should not overflow. Checked by CCodec_FaxDecoder::CreateDecoder.
   m_Pitch = (static_cast<uint32_t>(m_OrigWidth) + 31) / 32 * 4;
   m_OutputWidth = m_OrigWidth;
   m_OutputHeight = m_OrigHeight;
@@ -624,6 +628,13 @@ CCodec_ScanlineDecoder* CCodec_FaxModule::CreateDecoder(
     FX_BOOL BlackIs1,
     int Columns,
     int Rows) {
+  // Reject invalid values.
+  if (width <= 0 || height < 0 || Columns < 0 || Rows < 0)
+    return nullptr;
+  // Reject unreasonable large input.
+  if (width > kMaxImageDimension || height > kMaxImageDimension ||
+      Columns > kMaxImageDimension || Rows > kMaxImageDimension)
+    return nullptr;
   return new CCodec_FaxDecoder(src_buf, src_size, width, height, K, EndOfLine,
                                EncodedByteAlign, BlackIs1, Columns, Rows);
 }
diff --git a/testing/libfuzzer/pdf_codec_fax_fuzzer.cc b/testing/libfuzzer/pdf_codec_fax_fuzzer.cc
index 1a04c31aa0..60e2c9ff19 100644
--- a/testing/libfuzzer/pdf_codec_fax_fuzzer.cc
+++ b/testing/libfuzzer/pdf_codec_fax_fuzzer.cc
@@ -34,9 +34,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
                                          EndOfLine, ByteAlign, BlackIs1,
                                          Columns, Rows));
 
-  int line = 0;
-  while (decoder->GetScanline(line))
-    line++;
+  if (decoder) {
+    int line = 0;
+    while (decoder->GetScanline(line))
+      line++;
+  }
 
   return 0;
 }
-- 
cgit v1.2.3