From a57e3e13c1c0ea8e47746f5622f299bd3150eb48 Mon Sep 17 00:00:00 2001
From: Oliver Chang <ochang@chromium.org>
Date: Mon, 18 Apr 2016 12:45:52 -0700
Subject: Merge to M51: Prevent an OOB access in
 CPDF_DIBSource::TranslateScanline24bpp

if |m_Family| was RGB, the code assumed there were 3 components, which
may not be the case.

BUG=chromium:602046
TBR=tsepez@chromium.org

Original Review URL: https://codereview.chromium.org/1877033003

(cherry picked from commit 6a3521f049b35c801f124f1573718021a785ff6b)

Review URL: https://codereview.chromium.org/1895033004 .
---
 core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
index 144de779e9..97f625f29f 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
@@ -918,6 +918,9 @@ void CPDF_DIBSource::TranslateScanline24bpp(uint8_t* dest_scan,
   unsigned int max_data = (1 << m_bpc) - 1;
   if (m_bDefaultDecode) {
     if (m_Family == PDFCS_DEVICERGB || m_Family == PDFCS_CALRGB) {
+      if (m_nComponents != 3)
+        return;
+
       const uint8_t* src_pos = src_scan;
       switch (m_bpc) {
         case 16:
-- 
cgit v1.2.3