From f768baf129fcafc4342193477e0c41c082ef5ca5 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Fri, 14 Jul 2017 16:39:39 -0400
Subject: Let CPDF_MeshStream::ReadVertexRow return a vector

In this CL, CPDF_MeshStream::ReadVertexRow returns a vector. The vector
size is not allocated in advance to prevent OOM attacks, since the size
is given as an input to the PDF.

Bug: chromium:735248
Change-Id: I3e2b020896f24715af5dfd9aa18768e6d64d6f76
Reviewed-on: https://pdfium-review.googlesource.com/7950
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fpdfapi/page/cpdf_meshstream.cpp | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'core/fpdfapi/page/cpdf_meshstream.cpp')

diff --git a/core/fpdfapi/page/cpdf_meshstream.cpp b/core/fpdfapi/page/cpdf_meshstream.cpp
index 7a6228a25b..8588734d95 100644
--- a/core/fpdfapi/page/cpdf_meshstream.cpp
+++ b/core/fpdfapi/page/cpdf_meshstream.cpp
@@ -242,19 +242,22 @@ bool CPDF_MeshStream::ReadVertex(const CFX_Matrix& pObject2Bitmap,
   return true;
 }
 
-bool CPDF_MeshStream::ReadVertexRow(const CFX_Matrix& pObject2Bitmap,
-                                    int count,
-                                    CPDF_MeshVertex* vertex) {
-  for (int i = 0; i < count; i++) {
+std::vector<CPDF_MeshVertex> CPDF_MeshStream::ReadVertexRow(
+    const CFX_Matrix& pObject2Bitmap,
+    int count) {
+  std::vector<CPDF_MeshVertex> vertices;
+  for (int i = 0; i < count; ++i) {
     if (m_BitStream.IsEOF() || !CanReadCoords())
-      return false;
+      return std::vector<CPDF_MeshVertex>();
 
-    vertex[i].position = pObject2Bitmap.Transform(ReadCoords());
+    vertices.push_back(CPDF_MeshVertex());
+    CPDF_MeshVertex& vertex = vertices.back();
+    vertex.position = pObject2Bitmap.Transform(ReadCoords());
     if (!CanReadColor())
-      return false;
+      return std::vector<CPDF_MeshVertex>();
 
-    std::tie(vertex[i].r, vertex[i].g, vertex[i].b) = ReadColor();
+    std::tie(vertex.r, vertex.g, vertex.b) = ReadColor();
     m_BitStream.ByteAlign();
   }
-  return true;
+  return vertices;
 }
-- 
cgit v1.2.3