From ff63663ce08c31efa416bc797c2d3ef96759f780 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 3 Nov 2017 18:37:35 +0000
Subject: The component count in CPDF_IndexedCS should be unsigned.

Since the source of the component count is unsigned. Adjust related
variables to also be unsigned. In CPDF_IndexedCS::GetRGB(), switch
integer overflow code to use FX_SAFE_SIZE_T, and write to the out params
correctly on failure.

Change-Id: If7405b4c5e9022ba1992fff2be2bcc1a7826adf4
Reviewed-on: https://pdfium-review.googlesource.com/17770
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 core/fpdfapi/page/cpdf_colorspace.cpp | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/core/fpdfapi/page/cpdf_colorspace.cpp b/core/fpdfapi/page/cpdf_colorspace.cpp
index dd13bf5049..ec45160ef8 100644
--- a/core/fpdfapi/page/cpdf_colorspace.cpp
+++ b/core/fpdfapi/page/cpdf_colorspace.cpp
@@ -197,7 +197,7 @@ class CPDF_IndexedCS : public CPDF_ColorSpace {
 
   CPDF_ColorSpace* m_pBaseCS;
   UnownedPtr<CPDF_CountedColorSpace> m_pCountedBaseCS;
-  int m_nBaseComponents;
+  uint32_t m_nBaseComponents;
   int m_MaxIndex;
   ByteString m_Table;
   float* m_pCompMinMax;
@@ -1013,7 +1013,7 @@ bool CPDF_IndexedCS::v_Load(CPDF_Document* pDoc,
   m_nBaseComponents = m_pBaseCS->CountComponents();
   m_pCompMinMax = FX_Alloc2D(float, m_nBaseComponents, 2);
   float defvalue;
-  for (int i = 0; i < m_nBaseComponents; i++) {
+  for (uint32_t i = 0; i < m_nBaseComponents; i++) {
     m_pBaseCS->GetDefaultValue(i, &defvalue, &m_pCompMinMax[i * 2],
                                &m_pCompMinMax[i * 2 + 1]);
     m_pCompMinMax[i * 2 + 1] -= m_pCompMinMax[i * 2];
@@ -1035,21 +1035,25 @@ bool CPDF_IndexedCS::v_Load(CPDF_Document* pDoc,
 }
 
 bool CPDF_IndexedCS::GetRGB(float* pBuf, float* R, float* G, float* B) const {
-  int index = static_cast<int32_t>(*pBuf);
+  int32_t index = static_cast<int32_t>(*pBuf);
   if (index < 0 || index > m_MaxIndex)
     return false;
 
   if (m_nBaseComponents) {
-    if (index == INT_MAX || (index + 1) > INT_MAX / m_nBaseComponents ||
-        (index + 1) * m_nBaseComponents > (int)m_Table.GetLength()) {
-      R = G = B = 0;
+    FX_SAFE_SIZE_T length = index;
+    length += 1;
+    length *= m_nBaseComponents;
+    if (!length.IsValid() || length.ValueOrDie() > m_Table.GetLength()) {
+      *R = 0;
+      *G = 0;
+      *B = 0;
       return false;
     }
   }
   CFX_FixedBufGrow<float, 16> Comps(m_nBaseComponents);
   float* comps = Comps;
   const uint8_t* pTable = m_Table.raw_str();
-  for (int i = 0; i < m_nBaseComponents; i++) {
+  for (uint32_t i = 0; i < m_nBaseComponents; i++) {
     comps[i] =
         m_pCompMinMax[i * 2] +
         m_pCompMinMax[i * 2 + 1] * pTable[index * m_nBaseComponents + i] / 255;
-- 
cgit v1.2.3