From 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41 Mon Sep 17 00:00:00 2001
From: ochang <ochang@chromium.org>
Date: Fri, 15 Apr 2016 13:52:00 -0700
Subject: Prevent a potential OOB read in TranslateImageLine.

Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and
its CPDF_ColorSpace, from code attempting to recover from a failed decoder
initialisation in CPDF_DIBSource::CreateDecoder.

BUG=chromium:603518
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1892143003
---
 core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp')

diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
index 951d38359f..44ac29f9e1 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
@@ -570,15 +570,16 @@ int CPDF_DIBSource::CreateDecoder() {
                                 bpc, bTransform)) {
         if (m_nComponents != static_cast<uint32_t>(comps)) {
           FX_Free(m_pCompData);
+          m_pCompData = nullptr;
           m_nComponents = static_cast<uint32_t>(comps);
-          if (m_Family == PDFCS_LAB && m_nComponents != 3) {
-            m_pCompData = nullptr;
+          if (m_pColorSpace &&
+              m_pColorSpace->CountComponents() != m_nComponents)
+            return 0;
+          if (m_Family == PDFCS_LAB && m_nComponents != 3)
             return 0;
-          }
           m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey);
-          if (!m_pCompData) {
+          if (!m_pCompData)
             return 0;
-          }
         }
         m_bpc = bpc;
         m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder(
-- 
cgit v1.2.3