From 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41 Mon Sep 17 00:00:00 2001 From: ochang Date: Fri, 15 Apr 2016 13:52:00 -0700 Subject: Prevent a potential OOB read in TranslateImageLine. Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and its CPDF_ColorSpace, from code attempting to recover from a failed decoder initialisation in CPDF_DIBSource::CreateDecoder. BUG=chromium:603518 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1892143003 --- core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | 11 ++++++----- .../fpdf_render/fpdf_render_loadimage_embeddertest.cpp | 10 ++++++++++ testing/resources/bug_603518.pdf | Bin 0 -> 7328 bytes 3 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 testing/resources/bug_603518.pdf diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp index 951d38359f..44ac29f9e1 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp @@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() { bpc, bTransform)) { if (m_nComponents != static_cast(comps)) { FX_Free(m_pCompData); + m_pCompData = nullptr; m_nComponents = static_cast(comps); - if (m_Family == PDFCS_LAB && m_nComponents != 3) { - m_pCompData = nullptr; + if (m_pColorSpace && + m_pColorSpace->CountComponents() != m_nComponents) + return 0; + if (m_Family == PDFCS_LAB && m_nComponents != 3) return 0; - } m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey); - if (!m_pCompData) { + if (!m_pCompData) return 0; - } } m_bpc = bpc; m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder( diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp index 427abb8e37..5c6a8c513f 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp @@ -27,3 +27,13 @@ TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_557223) { FPDFBitmap_Destroy(bitmap); UnloadPage(page); } + +TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_603518) { + // Should not crash + EXPECT_TRUE(OpenDocument("bug_603518.pdf")); + FPDF_PAGE page = LoadPage(0); + EXPECT_NE(nullptr, page); + FPDF_BITMAP bitmap = RenderPage(page); + FPDFBitmap_Destroy(bitmap); + UnloadPage(page); +} diff --git a/testing/resources/bug_603518.pdf b/testing/resources/bug_603518.pdf new file mode 100644 index 0000000000..1af6005e6c Binary files /dev/null and b/testing/resources/bug_603518.pdf differ -- cgit v1.2.3