From c0043a8ccdf0768c2bd285f90e730645cb38a0c7 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 19 Apr 2018 16:46:04 +0000
Subject: Validate the Range key in Functions.

They are required for type 0 and type 4 functions. The number of outputs
should not be 0.

Change-Id: I4cb1fa14a32ef0a1c92230d83461c697f389106f
Reviewed-on: https://pdfium-review.googlesource.com/30931
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
---
 core/fpdfapi/page/cpdf_function.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'core/fpdfapi/page')

diff --git a/core/fpdfapi/page/cpdf_function.cpp b/core/fpdfapi/page/cpdf_function.cpp
index ce119ca487..a43c887e71 100644
--- a/core/fpdfapi/page/cpdf_function.cpp
+++ b/core/fpdfapi/page/cpdf_function.cpp
@@ -98,14 +98,24 @@ bool CPDF_Function::Init(CPDF_Object* pObj, std::set<CPDF_Object*>* pVisited) {
   }
 
   CPDF_Array* pRanges = pDict->GetArrayFor("Range");
-  m_nOutputs = 0;
-  if (pRanges) {
-    m_nOutputs = pRanges->GetCount() / 2;
+  m_nOutputs = pRanges ? pRanges->GetCount() / 2 : 0;
+
+  // Ranges are required for type 0 and type 4 functions. A non-zero
+  // |m_nOutputs| here implied Ranges meets the requirements.
+  {
+    bool bRangeRequired =
+        m_Type == Type::kType0Sampled || m_Type == Type::kType4PostScript;
+    if (bRangeRequired && m_nOutputs == 0)
+      return false;
+  }
+
+  if (m_nOutputs > 0) {
     size_t nOutputs = m_nOutputs * 2;
     m_pRanges = FX_Alloc(float, nOutputs);
     for (size_t i = 0; i < nOutputs; ++i)
       m_pRanges[i] = pRanges->GetFloatAt(i);
   }
+
   uint32_t old_outputs = m_nOutputs;
   if (!v_Init(pObj, pVisited))
     return false;
-- 
cgit v1.2.3