From 76e202c638e343cb59f255df59580f4d658d2f9c Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Mon, 23 Apr 2018 18:44:46 +0000 Subject: Validate the Size dictionary entry in CPDF_SampledFunc. It is required to be an array of positive integers. The existing implementation seems to accommodate non-compliant PDFs where the Size entry is an integer. Change-Id: I58faa3f84ca627f189c67bab5884d4b1f9b105ca Reviewed-on: https://pdfium-review.googlesource.com/31151 Commit-Queue: Lei Zhang Reviewed-by: Henrique Nakashima --- core/fpdfapi/page/cpdf_sampledfunc.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/core/fpdfapi/page/cpdf_sampledfunc.cpp b/core/fpdfapi/page/cpdf_sampledfunc.cpp index 6ec87fc672..6039d630ef 100644 --- a/core/fpdfapi/page/cpdf_sampledfunc.cpp +++ b/core/fpdfapi/page/cpdf_sampledfunc.cpp @@ -44,6 +44,9 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj, const CPDF_Dictionary* pDict = pStream->GetDict(); const CPDF_Array* pSize = pDict->GetArrayFor("Size"); + if (!pSize || pSize->IsEmpty()) + return false; + const CPDF_Array* pEncode = pDict->GetArrayFor("Encode"); const CPDF_Array* pDecode = pDict->GetArrayFor("Decode"); m_nBitsPerSample = pDict->GetIntegerFor("BitsPerSample"); @@ -56,9 +59,11 @@ bool CPDF_SampledFunc::v_Init(CPDF_Object* pObj, FX_SAFE_UINT32 nTotalSampleBits = 1; m_EncodeInfo.resize(m_nInputs); for (uint32_t i = 0; i < m_nInputs; i++) { - m_EncodeInfo[i].sizes = pSize ? pSize->GetIntegerAt(i) : 0; - if (!pSize && i == 0) - m_EncodeInfo[i].sizes = pDict->GetIntegerFor("Size"); + int size = pSize->GetIntegerAt(i); + if (size <= 0) + return false; + + m_EncodeInfo[i].sizes = size; nTotalSampleBits *= m_EncodeInfo[i].sizes; if (pEncode) { m_EncodeInfo[i].encode_min = pEncode->GetFloatAt(i * 2); -- cgit v1.2.3