From 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41 Mon Sep 17 00:00:00 2001
From: ochang <ochang@chromium.org>
Date: Fri, 15 Apr 2016 13:52:00 -0700
Subject: Prevent a potential OOB read in TranslateImageLine.

Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and
its CPDF_ColorSpace, from code attempting to recover from a failed decoder
initialisation in CPDF_DIBSource::CreateDecoder.

BUG=chromium:603518
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1892143003
---
 core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp       |  11 ++++++-----
 .../fpdf_render/fpdf_render_loadimage_embeddertest.cpp   |  10 ++++++++++
 testing/resources/bug_603518.pdf                         | Bin 0 -> 7328 bytes
 3 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 testing/resources/bug_603518.pdf

diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
index 951d38359f..44ac29f9e1 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
@@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() {
                                 bpc, bTransform)) {
         if (m_nComponents != static_cast<uint32_t>(comps)) {
           FX_Free(m_pCompData);
+          m_pCompData = nullptr;
           m_nComponents = static_cast<uint32_t>(comps);
-          if (m_Family == PDFCS_LAB && m_nComponents != 3) {
-            m_pCompData = nullptr;
+          if (m_pColorSpace &&
+              m_pColorSpace->CountComponents() != m_nComponents)
+            return 0;
+          if (m_Family == PDFCS_LAB && m_nComponents != 3)
             return 0;
-          }
           m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey);
-          if (!m_pCompData) {
+          if (!m_pCompData)
             return 0;
-          }
         }
         m_bpc = bpc;
         m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder(
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
index 427abb8e37..5c6a8c513f 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
@@ -27,3 +27,13 @@ TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_557223) {
   FPDFBitmap_Destroy(bitmap);
   UnloadPage(page);
 }
+
+TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_603518) {
+  // Should not crash
+  EXPECT_TRUE(OpenDocument("bug_603518.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  EXPECT_NE(nullptr, page);
+  FPDF_BITMAP bitmap = RenderPage(page);
+  FPDFBitmap_Destroy(bitmap);
+  UnloadPage(page);
+}
diff --git a/testing/resources/bug_603518.pdf b/testing/resources/bug_603518.pdf
new file mode 100644
index 0000000000..1af6005e6c
Binary files /dev/null and b/testing/resources/bug_603518.pdf differ
-- 
cgit v1.2.3