From 6793dad3038a6ed4a2bd68aeb1833c00e7413cf3 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Mon, 15 Oct 2018 18:18:18 +0000
Subject: Stop shadowing codec memory size with
 CCodec_ProgressiveDecoder::m_SrcSize

This is a remnant from the old implementation which can get out
of sync with the actual value, esp. in the fuzzers where buffers
are shorter-lived.

Bug: 895009
Change-Id: Ibf16dad58dd750c961e3b446f12cb2197004dbb4
Reviewed-on: https://pdfium-review.googlesource.com/c/44010
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 core/fxcodec/codec/ccodec_progressivedecoder.cpp | 36 +++++++++++-------------
 core/fxcodec/codec/ccodec_progressivedecoder.h   |  1 -
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/core/fxcodec/codec/ccodec_progressivedecoder.cpp b/core/fxcodec/codec/ccodec_progressivedecoder.cpp
index c3ab8c60c1..04dda05157 100644
--- a/core/fxcodec/codec/ccodec_progressivedecoder.cpp
+++ b/core/fxcodec/codec/ccodec_progressivedecoder.cpp
@@ -768,7 +768,9 @@ bool CCodec_ProgressiveDecoder::BmpDetectImageTypeInBuffer(
     return false;
   }
 
-  uint32_t availableData = m_SrcSize > m_offSet ? m_SrcSize - m_offSet : 0;
+  uint32_t availableData = m_pCodecMemory->GetSize() > m_offSet
+                               ? m_pCodecMemory->GetSize() - m_offSet
+                               : 0;
   if (neededData > availableData) {
     m_status = FXCODEC_STATUS_ERR_FORMAT;
     return false;
@@ -1266,10 +1268,9 @@ bool CCodec_ProgressiveDecoder::PngDetectImageTypeInBuffer(
       m_status = FXCODEC_STATUS_ERR_FORMAT;
       return false;
     }
-    if (m_pCodecMemory && input_size > m_SrcSize) {
+    if (m_pCodecMemory && input_size > m_pCodecMemory->GetSize())
       m_pCodecMemory = pdfium::MakeRetain<CFX_CodecMemory>(input_size);
-      m_SrcSize = input_size;
-    }
+
     if (!m_pFile->ReadBlock(m_pCodecMemory->GetBuffer(), m_offSet,
                             input_size)) {
       m_status = FXCODEC_STATUS_ERR_READ;
@@ -1350,10 +1351,9 @@ FXCODEC_STATUS CCodec_ProgressiveDecoder::PngContinueDecode() {
       m_status = FXCODEC_STATUS_DECODE_FINISH;
       return m_status;
     }
-    if (m_pCodecMemory && input_size > m_SrcSize) {
+    if (m_pCodecMemory && input_size > m_pCodecMemory->GetSize())
       m_pCodecMemory = pdfium::MakeRetain<CFX_CodecMemory>(input_size);
-      m_SrcSize = input_size;
-    }
+
     bool bResult =
         m_pFile->ReadBlock(m_pCodecMemory->GetBuffer(), m_offSet, input_size);
     if (!bResult) {
@@ -1549,14 +1549,13 @@ bool CCodec_ProgressiveDecoder::DetectImageType(FXCODEC_IMAGE_TYPE imageType,
 #endif  // PDF_ENABLE_XFA_TIFF
 
   size_t size = std::min<size_t>(m_pFile->GetSize(), FXCODEC_BLOCK_SIZE);
-  m_SrcSize = static_cast<uint32_t>(size);
-  m_pCodecMemory = pdfium::MakeRetain<CFX_CodecMemory>(m_SrcSize);
+  m_pCodecMemory = pdfium::MakeRetain<CFX_CodecMemory>(size);
   m_offSet = 0;
-  if (!m_pFile->ReadBlock(m_pCodecMemory->GetBuffer(), m_offSet, m_SrcSize)) {
+  if (!m_pFile->ReadBlock(m_pCodecMemory->GetBuffer(), m_offSet, size)) {
     m_status = FXCODEC_STATUS_ERR_READ;
     return false;
   }
-  m_offSet += m_SrcSize;
+  m_offSet += size;
 
   if (imageType == FXCODEC_IMAGE_JPG)
     return JpegDetectImageTypeInBuffer(pAttribute);
@@ -1593,31 +1592,30 @@ bool CCodec_ProgressiveDecoder::ReadMoreData(
   uint32_t dwBytesToFetchFromFile = m_pFile->GetSize() - m_offSet;
 
   // Figure out if the codec stopped processing midway through the buffer.
-  uint32_t dwUnconsumed = 0;
+  size_t dwUnconsumed = 0;
   if (!invalidate_buffer) {
-    FX_SAFE_UINT32 avail_input = pModule->GetAvailInput(pContext);
+    FX_SAFE_SIZE_T avail_input = pModule->GetAvailInput(pContext);
     if (!avail_input.IsValid())
       return false;
     dwUnconsumed = avail_input.ValueOrDie();
   }
 
-  if (dwUnconsumed == m_SrcSize) {
+  if (dwUnconsumed == m_pCodecMemory->GetSize()) {
     // Codec couldn't make any progress against the bytes in the buffer.
     // Increase the buffer size so that there might be enough contiguous
     // bytes to allow whatever operation is having difficulty to succeed.
     dwBytesToFetchFromFile =
         std::min<uint32_t>(dwBytesToFetchFromFile, FXCODEC_BLOCK_SIZE);
-    uint32_t dwNewSize = m_SrcSize + dwBytesToFetchFromFile;
+    size_t dwNewSize = m_pCodecMemory->GetSize() + dwBytesToFetchFromFile;
     if (!m_pCodecMemory->TryResize(dwNewSize)) {
       err_status = FXCODEC_STATUS_ERR_MEMORY;
       return false;
     }
-    m_SrcSize = dwNewSize;
   } else {
-    uint32_t dwConsumed = m_SrcSize - dwUnconsumed;
+    size_t dwConsumed = m_pCodecMemory->GetSize() - dwUnconsumed;
     m_pCodecMemory->Consume(dwConsumed);
-    dwBytesToFetchFromFile = std::min(dwBytesToFetchFromFile, dwConsumed);
-    m_SrcSize = dwBytesToFetchFromFile + dwUnconsumed;
+    dwBytesToFetchFromFile =
+        std::min<uint32_t>(dwBytesToFetchFromFile, dwConsumed);
   }
 
   // Append new data past the bytes not yet processed by the codec.
diff --git a/core/fxcodec/codec/ccodec_progressivedecoder.h b/core/fxcodec/codec/ccodec_progressivedecoder.h
index d0419f8268..1c764cbb4b 100644
--- a/core/fxcodec/codec/ccodec_progressivedecoder.h
+++ b/core/fxcodec/codec/ccodec_progressivedecoder.h
@@ -268,7 +268,6 @@ class CCodec_ProgressiveDecoder :
   std::unique_ptr<CodecModuleIface::Context> m_pTiffContext;
 #endif  // PDF_ENABLE_XFA_TIFF
   uint32_t m_offSet = 0;
-  uint32_t m_SrcSize = 0;
   int m_ScanlineSize = 0;
   CFXCODEC_WeightTable m_WeightHorz;
   CFXCODEC_VertTable m_WeightVert;
-- 
cgit v1.2.3