From 5a2114eced31ce389ede4486d492faf6db4d7a04 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 27 Apr 2018 18:52:47 +0000
Subject: Do validation earlier in CPDF_SampledFunc::v_Init(). (try 2)

This time, correctly multiply |nTotalSampleBits| before checking it.

Change-Id: I68befeedb54626314f7bb00a35e567d2cbf1cc10
Reviewed-on: https://pdfium-review.googlesource.com/31152
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 core/fpdfapi/page/cpdf_sampledfunc.cpp | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/core/fpdfapi/page/cpdf_sampledfunc.cpp b/core/fpdfapi/page/cpdf_sampledfunc.cpp
index 6039d630ef..3777254f34 100644
--- a/core/fpdfapi/page/cpdf_sampledfunc.cpp
+++ b/core/fpdfapi/page/cpdf_sampledfunc.cpp
@@ -47,16 +47,13 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj,
   if (!pSize || pSize->IsEmpty())
     return false;
 
-  const CPDF_Array* pEncode = pDict->GetArrayFor("Encode");
-  const CPDF_Array* pDecode = pDict->GetArrayFor("Decode");
   m_nBitsPerSample = pDict->GetIntegerFor("BitsPerSample");
   if (!IsValidBitsPerSample(m_nBitsPerSample))
     return false;
 
-  m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample);
-  m_pSampleStream = pdfium::MakeRetain<CPDF_StreamAcc>(pStream);
-  m_pSampleStream->LoadAllDataFiltered();
-  FX_SAFE_UINT32 nTotalSampleBits = 1;
+  FX_SAFE_UINT32 nTotalSampleBits = m_nBitsPerSample;
+  nTotalSampleBits *= m_nOutputs;
+  const CPDF_Array* pEncode = pDict->GetArrayFor("Encode");
   m_EncodeInfo.resize(m_nInputs);
   for (uint32_t i = 0; i < m_nInputs; i++) {
     int size = pSize->GetIntegerAt(i);
@@ -74,15 +71,17 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj,
           m_EncodeInfo[i].sizes == 1 ? 1 : m_EncodeInfo[i].sizes - 1;
     }
   }
-  nTotalSampleBits *= m_nBitsPerSample;
-  nTotalSampleBits *= m_nOutputs;
-  FX_SAFE_UINT32 nTotalSampleBytes = nTotalSampleBits;
-  nTotalSampleBytes += 7;
-  nTotalSampleBytes /= 8;
-  if (!nTotalSampleBytes.IsValid() || nTotalSampleBytes.ValueOrDie() == 0 ||
-      nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize()) {
+  FX_SAFE_UINT32 nTotalSampleBytes = (nTotalSampleBits + 7) / 8;
+  if (!nTotalSampleBytes.IsValid() || nTotalSampleBytes.ValueOrDie() == 0)
     return false;
-  }
+
+  m_SampleMax = 0xffffffff >> (32 - m_nBitsPerSample);
+  m_pSampleStream = pdfium::MakeRetain<CPDF_StreamAcc>(pStream);
+  m_pSampleStream->LoadAllDataFiltered();
+  if (nTotalSampleBytes.ValueOrDie() > m_pSampleStream->GetSize())
+    return false;
+
+  const CPDF_Array* pDecode = pDict->GetArrayFor("Decode");
   m_DecodeInfo.resize(m_nOutputs);
   for (uint32_t i = 0; i < m_nOutputs; i++) {
     if (pDecode) {
-- 
cgit v1.2.3