From 5a2114eced31ce389ede4486d492faf6db4d7a04 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Fri, 27 Apr 2018 18:52:47 +0000 Subject: Do validation earlier in CPDF_SampledFunc::v_Init(). (try 2) This time, correctly multiply |nTotalSampleBits| before checking it. Change-Id: I68befeedb54626314f7bb00a35e567d2cbf1cc10 Reviewed-on: https://pdfium-review.googlesource.com/31152 Reviewed-by: Tom Sepez Reviewed-by: Henrique Nakashima Commit-Queue: Lei Zhang --- core/fpdfapi/page/cpdf_sampledfunc.cpp | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/core/fpdfapi/page/cpdf_sampledfunc.cpp b/core/fpdfapi/page/cpdf_sampledfunc.cpp index 6039d630ef..3777254f34 100644 --- a/core/fpdfapi/page/cpdf_sampledfunc.cpp +++ b/core/fpdfapi/page/cpdf_sampledfunc.cpp @@ -47,16 +47,13 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj, if (!pSize || pSize->IsEmpty()) return false; - const CPDF_Array* pEncode = pDict->GetArrayFor("Encode"); - const CPDF_Array* pDecode = pDict->GetArrayFor("Decode"); m_nBitsPerSample = pDict->GetIntegerFor("BitsPerSample"); if (!IsValidBitsPerSample(m_nBitsPerSample)) return false; - m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample); - m_pSampleStream = pdfium::MakeRetain(pStream); - m_pSampleStream->LoadAllDataFiltered(); - FX_SAFE_UINT32 nTotalSampleBits = 1; + FX_SAFE_UINT32 nTotalSampleBits = m_nBitsPerSample; + nTotalSampleBits *= m_nOutputs; + const CPDF_Array* pEncode = pDict->GetArrayFor("Encode"); m_EncodeInfo.resize(m_nInputs); for (uint32_t i = 0; i < m_nInputs; i++) { int size = pSize->GetIntegerAt(i); @@ -74,15 +71,17 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj, m_EncodeInfo[i].sizes == 1 ? 1 : m_EncodeInfo[i].sizes - 1; } } - nTotalSampleBits *= m_nBitsPerSample; - nTotalSampleBits *= m_nOutputs; - FX_SAFE_UINT32 nTotalSampleBytes = nTotalSampleBits; - nTotalSampleBytes += 7; - nTotalSampleBytes /= 8; - if (!nTotalSampleBytes.IsValid() || nTotalSampleBytes.ValueOrDie() == 0 || - nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize()) { + FX_SAFE_UINT32 nTotalSampleBytes = (nTotalSampleBits + 7) / 8; + if (!nTotalSampleBytes.IsValid() || nTotalSampleBytes.ValueOrDie() == 0) return false; - } + + m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample); + m_pSampleStream = pdfium::MakeRetain(pStream); + m_pSampleStream->LoadAllDataFiltered(); + if (nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize()) + return false; + + const CPDF_Array* pDecode = pDict->GetArrayFor("Decode"); m_DecodeInfo.resize(m_nOutputs); for (uint32_t i = 0; i < m_nOutputs; i++) { if (pDecode) { -- cgit v1.2.3