From 4dd613cb51c1d77ac2998f760325ed5b93f4ebf0 Mon Sep 17 00:00:00 2001 From: kcwu Date: Fri, 23 Sep 2016 09:26:51 -0700 Subject: Bail out on bad width and height in CCodec_FaxDecoder::CreateDecoder BUG=648935,649436 Review-Url: https://codereview.chromium.org/2360283004 --- core/fxcodec/codec/fx_codec_fax.cpp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'core/fxcodec') diff --git a/core/fxcodec/codec/fx_codec_fax.cpp b/core/fxcodec/codec/fx_codec_fax.cpp index c0202829ee..11c42ade28 100644 --- a/core/fxcodec/codec/fx_codec_fax.cpp +++ b/core/fxcodec/codec/fx_codec_fax.cpp @@ -36,7 +36,11 @@ const uint8_t ZeroLeadPos[256] = { 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 7, 8, }; +// Limit of image dimension, an arbitrary large number. +const int kMaxImageDimension = 0x01FFFF; + int FindBit(const uint8_t* data_buf, int max_pos, int start_pos, int bit) { + ASSERT(start_pos >= 0); if (start_pos >= max_pos) { return max_pos; } @@ -511,7 +515,7 @@ CCodec_FaxDecoder::CCodec_FaxDecoder(const uint8_t* src_buf, m_OrigWidth = width; if (m_OrigHeight == 0) m_OrigHeight = height; - // Should not overflow. Checked by FPDFAPI_CreateFaxDecoder. + // Should not overflow. Checked by CCodec_FaxDecoder::CreateDecoder. m_Pitch = (static_cast(m_OrigWidth) + 31) / 32 * 4; m_OutputWidth = m_OrigWidth; m_OutputHeight = m_OrigHeight; @@ -624,6 +628,13 @@ CCodec_ScanlineDecoder* CCodec_FaxModule::CreateDecoder( FX_BOOL BlackIs1, int Columns, int Rows) { + // Reject invalid values. + if (width <= 0 || height < 0 || Columns < 0 || Rows < 0) + return nullptr; + // Reject unreasonable large input. + if (width > kMaxImageDimension || height > kMaxImageDimension || + Columns > kMaxImageDimension || Rows > kMaxImageDimension) + return nullptr; return new CCodec_FaxDecoder(src_buf, src_size, width, height, K, EndOfLine, EncodedByteAlign, BlackIs1, Columns, Rows); } -- cgit v1.2.3