From 8ba662443cd7bc3bdad1699cf014c2ecb432e453 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 13 Mar 2017 14:07:38 -0400
Subject: Check run lengths in FaxG4GetRow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The spec says a1 is to the right of a0, a2 to the right of a1. I think that
means that the run lengths have to be positive, but that certainly means that
they cannot be negative.

BUG=chromium:699340

Change-Id: Ic07a272e63610f7a66c5073179cdb2768f80e2b8
Reviewed-on: https://pdfium-review.googlesource.com/2963
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 core/fxcodec/codec/fx_codec_fax.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp
index 8a9c3efbc7..3e8967c265 100644
--- a/core/fxcodec/codec/fx_codec_fax.cpp
+++ b/core/fxcodec/codec/fx_codec_fax.cpp
@@ -315,6 +315,8 @@ bool FaxG4GetRow(const uint8_t* src_buf,
         }
         if (a0 < 0)
           ++run_len1;
+        if (run_len1 < 0)
+          return false;
 
         a1 = a0 + run_len1;
         if (!a0color)
@@ -329,6 +331,8 @@ bool FaxG4GetRow(const uint8_t* src_buf,
             break;
           }
         }
+        if (run_len2 < 0)
+          return false;
         a2 = a1 + run_len2;
         if (a0color)
           FaxFillBits(dest_buf, columns, a1, a2);
-- 
cgit v1.2.3