From dab8649b70284a3f0e109510996c35c7882cbd87 Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Tue, 13 Feb 2018 22:11:43 +0000 Subject: Change return value of GetAvailInput This changes the return value from uint32_t to FX_FILESIZE, which is the type the methods is uses return. The existing code does an unguarded static cast, so something like -1 could cause a very large value being returned. This change has a cascading impact up to the top of the progressive codec, which now has to handle negative values gracefully. Change-Id: I813fb71e932dd5da014dbaed0dbf3bb28f8d4e9f Reviewed-on: https://pdfium-review.googlesource.com/26450 Commit-Queue: Ryan Harrison Reviewed-by: Lei Zhang --- core/fxcodec/bmp/cfx_bmpdecompressor.cpp | 2 +- core/fxcodec/bmp/cfx_bmpdecompressor.h | 2 +- core/fxcodec/codec/ccodec_bmpmodule.cpp | 4 ++-- core/fxcodec/codec/ccodec_bmpmodule.h | 2 +- core/fxcodec/codec/fx_codec_progress.cpp | 7 ++++++- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp index 56f11fd4cb..71909d2732 100644 --- a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp +++ b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp @@ -649,7 +649,7 @@ void CFX_BmpDecompressor::SetInputBuffer(uint8_t* src_buf, uint32_t src_size) { pdfium::MakeRetain(src_buf, src_size, false); } -uint32_t CFX_BmpDecompressor::GetAvailInput(uint8_t** avail_buf) { +FX_FILESIZE CFX_BmpDecompressor::GetAvailInput(uint8_t** avail_buf) { if (!input_buffer_) return 0; diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.h b/core/fxcodec/bmp/cfx_bmpdecompressor.h index eece78c7ca..152a2bd0ee 100644 --- a/core/fxcodec/bmp/cfx_bmpdecompressor.h +++ b/core/fxcodec/bmp/cfx_bmpdecompressor.h @@ -25,7 +25,7 @@ class CFX_BmpDecompressor { int32_t DecodeImage(); int32_t ReadHeader(); void SetInputBuffer(uint8_t* src_buf, uint32_t src_size); - uint32_t GetAvailInput(uint8_t** avail_buf); + FX_FILESIZE GetAvailInput(uint8_t** avail_buf); jmp_buf jmpbuf_; diff --git a/core/fxcodec/codec/ccodec_bmpmodule.cpp b/core/fxcodec/codec/ccodec_bmpmodule.cpp index e41b3dfd60..eb9bdf84f5 100644 --- a/core/fxcodec/codec/ccodec_bmpmodule.cpp +++ b/core/fxcodec/codec/ccodec_bmpmodule.cpp @@ -63,8 +63,8 @@ int32_t CCodec_BmpModule::LoadImage(Context* pContext) { return ctx->m_Bmp.DecodeImage(); } -uint32_t CCodec_BmpModule::GetAvailInput(Context* pContext, - uint8_t** avail_buf_ptr) { +FX_FILESIZE CCodec_BmpModule::GetAvailInput(Context* pContext, + uint8_t** avail_buf_ptr) { auto* ctx = static_cast(pContext); return ctx->m_Bmp.GetAvailInput(avail_buf_ptr); } diff --git a/core/fxcodec/codec/ccodec_bmpmodule.h b/core/fxcodec/codec/ccodec_bmpmodule.h index 8a33f66eac..9eef8867c6 100644 --- a/core/fxcodec/codec/ccodec_bmpmodule.h +++ b/core/fxcodec/codec/ccodec_bmpmodule.h @@ -33,7 +33,7 @@ class CCodec_BmpModule { ~CCodec_BmpModule(); std::unique_ptr Start(Delegate* pDelegate); - uint32_t GetAvailInput(Context* pContext, uint8_t** avail_buf_ptr); + FX_FILESIZE GetAvailInput(Context* pContext, uint8_t** avail_buf_ptr); void Input(Context* pContext, const uint8_t* src_buf, uint32_t src_size); int32_t ReadHeader(Context* pContext, int32_t* width, diff --git a/core/fxcodec/codec/fx_codec_progress.cpp b/core/fxcodec/codec/fx_codec_progress.cpp index 82b0168f6e..7e29524b2f 100644 --- a/core/fxcodec/codec/fx_codec_progress.cpp +++ b/core/fxcodec/codec/fx_codec_progress.cpp @@ -836,7 +836,12 @@ bool CCodec_ProgressiveDecoder::BmpReadMoreData(CCodec_BmpModule* pBmpModule, return false; dwSize = dwSize - m_offSet; - uint32_t dwAvail = pBmpModule->GetAvailInput(m_pBmpContext.get(), nullptr); + FX_SAFE_UINT32 avail_input = + pBmpModule->GetAvailInput(m_pBmpContext.get(), nullptr); + if (!avail_input.IsValid()) + return false; + + uint32_t dwAvail = avail_input.ValueOrDie(); if (dwAvail == m_SrcSize) { if (dwSize > FXCODEC_BLOCK_SIZE) { dwSize = FXCODEC_BLOCK_SIZE; -- cgit v1.2.3