From 6ec142da3f9cccb60a4d983ee7132c41a0798e24 Mon Sep 17 00:00:00 2001
From: Henrique Nakashima <hnakashima@chromium.org>
Date: Mon, 5 Feb 2018 22:28:22 +0000
Subject: Limit dest buffer to 1GB in FlateOrLZWDecode.

Bug: chromium:802094
Change-Id: I99d2d75cd431afe1cdb966e1431143ab43dd9a73
Reviewed-on: https://pdfium-review.googlesource.com/24730
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
---
 core/fxcodec/codec/fx_codec_flate.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/core/fxcodec/codec/fx_codec_flate.cpp b/core/fxcodec/codec/fx_codec_flate.cpp
index 95902bb699..e33a3d4810 100644
--- a/core/fxcodec/codec/fx_codec_flate.cpp
+++ b/core/fxcodec/codec/fx_codec_flate.cpp
@@ -7,6 +7,7 @@
 #include "core/fxcodec/codec/codec_int.h"
 
 #include <algorithm>
+#include <limits>
 #include <memory>
 #include <utility>
 #include <vector>
@@ -39,9 +40,12 @@ static void my_free_func(void* opaque, void* address) {
 
 namespace {
 
+constexpr const static uint32_t kMaxTotalOutSize = 1024 * 1024 * 1024;  // 1 GiB
+
 uint32_t FlateGetPossiblyTruncatedTotalOut(void* context) {
-  return pdfium::base::saturated_cast<uint32_t>(
-      static_cast<z_stream*>(context)->total_out);
+  return std::min(pdfium::base::saturated_cast<uint32_t>(
+                      static_cast<z_stream*>(context)->total_out),
+                  kMaxTotalOutSize);
 }
 
 uint32_t FlateGetPossiblyTruncatedTotalIn(void* context) {
-- 
cgit v1.2.3