From 93358c23262e27ead528ac60607329ba0ea0a49a Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 19 Apr 2018 16:53:32 +0000
Subject: Do a bit more validation in CPDF_ExpIntFunc::v_Init().

Also do some cleanup and use FX_SAFE_UINT32.

Change-Id: I8e9fc49fb768cfc4b13b164c1dcf51b8ca99ec0b
Reviewed-on: https://pdfium-review.googlesource.com/30934
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
---
 core/fpdfapi/page/cpdf_expintfunc.cpp | 33 ++++++++++++++++++++-------------
 core/fpdfapi/page/cpdf_expintfunc.h   |  8 ++++----
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/core/fpdfapi/page/cpdf_expintfunc.cpp b/core/fpdfapi/page/cpdf_expintfunc.cpp
index 020fe1fb81..0b3dc24033 100644
--- a/core/fpdfapi/page/cpdf_expintfunc.cpp
+++ b/core/fpdfapi/page/cpdf_expintfunc.cpp
@@ -8,12 +8,11 @@
 
 #include "core/fpdfapi/parser/cpdf_array.h"
 #include "core/fpdfapi/parser/cpdf_dictionary.h"
+#include "core/fpdfapi/parser/cpdf_number.h"
 #include "core/fxcrt/fx_memory.h"
 
 CPDF_ExpIntFunc::CPDF_ExpIntFunc()
-    : CPDF_Function(Type::kType2ExpotentialInterpolation),
-      m_pBeginValues(nullptr),
-      m_pEndValues(nullptr) {}
+    : CPDF_Function(Type::kType2ExpotentialInterpolation) {}
 
 CPDF_ExpIntFunc::~CPDF_ExpIntFunc() {
   FX_Free(m_pBeginValues);
@@ -26,14 +25,21 @@ bool CPDF_ExpIntFunc::v_Init(CPDF_Object* pObj,
   if (!pDict)
     return false;
 
-  CPDF_Array* pArray0 = pDict->GetArrayFor("C0");
-  if (m_nOutputs == 0) {
-    m_nOutputs = 1;
-    if (pArray0)
-      m_nOutputs = pArray0->GetCount();
+  {
+    CPDF_Number* pExponent = ToNumber(pDict->GetObjectFor("N"));
+    if (!pExponent)
+      return false;
+
+    m_Exponent = pExponent->GetNumber();
   }
 
-  CPDF_Array* pArray1 = pDict->GetArrayFor("C1");
+  const CPDF_Array* pArray0 = pDict->GetArrayFor("C0");
+  if (pArray0 && m_nOutputs == 0)
+    m_nOutputs = pArray0->GetCount();
+  if (m_nOutputs == 0)
+    m_nOutputs = 1;
+
+  const CPDF_Array* pArray1 = pDict->GetArrayFor("C1");
   m_pBeginValues = FX_Alloc2D(float, m_nOutputs, 2);
   m_pEndValues = FX_Alloc2D(float, m_nOutputs, 2);
   for (uint32_t i = 0; i < m_nOutputs; i++) {
@@ -41,12 +47,13 @@ bool CPDF_ExpIntFunc::v_Init(CPDF_Object* pObj,
     m_pEndValues[i] = pArray1 ? pArray1->GetFloatAt(i) : 1.0f;
   }
 
-  m_Exponent = pDict->GetFloatFor("N");
-  m_nOrigOutputs = m_nOutputs;
-  if (m_nOutputs && m_nInputs > INT_MAX / m_nOutputs)
+  FX_SAFE_UINT32 nOutputs = m_nOutputs;
+  nOutputs *= m_nInputs;
+  if (!nOutputs.IsValid())
     return false;
 
-  m_nOutputs *= m_nInputs;
+  m_nOrigOutputs = m_nOutputs;
+  m_nOutputs = nOutputs.ValueOrDie();
   return true;
 }
 
diff --git a/core/fpdfapi/page/cpdf_expintfunc.h b/core/fpdfapi/page/cpdf_expintfunc.h
index 7950c3dfd0..3ff6a7eb22 100644
--- a/core/fpdfapi/page/cpdf_expintfunc.h
+++ b/core/fpdfapi/page/cpdf_expintfunc.h
@@ -20,10 +20,10 @@ class CPDF_ExpIntFunc : public CPDF_Function {
   bool v_Init(CPDF_Object* pObj, std::set<CPDF_Object*>* pVisited) override;
   bool v_Call(const float* inputs, float* results) const override;
 
-  uint32_t m_nOrigOutputs;
-  float m_Exponent;
-  float* m_pBeginValues;
-  float* m_pEndValues;
+  uint32_t m_nOrigOutputs = 0;
+  float m_Exponent = 0.0f;
+  float* m_pBeginValues = nullptr;
+  float* m_pEndValues = nullptr;
 };
 
 #endif  // CORE_FPDFAPI_PAGE_CPDF_EXPINTFUNC_H_
-- 
cgit v1.2.3