From 0afbad0509578a5fee6fec4394d6b3c55425cf28 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Fri, 20 Nov 2015 10:01:48 -0800 Subject: Merge to XFA: Change |CCodec_ScanlineDecoder::m_Pitch| to FX_DWORD This matches the type of the corresponding |CFX_DIBSource::m_Pitch|, where integer overflow is checked for FX_DWORD. This change is propagated to many other places. Also, check for integer overflow in |CCodec_RLScanlineDecoder::Create| during the calculation of |m_Pitch| since it aligns to 4 bytes while overflow was was previously checked without this alignment. TBR=tsepez@chromium.org BUG=555784 Review URL: https://codereview.chromium.org/1460033002 . (cherry picked from commit e7950df70a2fd658f466751b29483436cb31e829) Review URL: https://codereview.chromium.org/1461363002 . --- .../fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'core/src/fpdfapi/fpdf_parser') diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp index a5a198e7b2..c80770366b 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp @@ -105,4 +105,14 @@ TEST_F(FPDFParserDecodeEmbeddertest, Bug_552046) { UnloadPage(page); } +TEST_F(FPDFParserDecodeEmbeddertest, Bug_555784) { + // Tests bad input to the run length decoder that caused a heap overflow. + // Should not cause a crash when rendered. + EXPECT_TRUE(OpenDocument("bug_555784.pdf")); + FPDF_PAGE page = LoadPage(0); + FPDF_BITMAP bitmap = RenderPage(page); + FPDFBitmap_Destroy(bitmap); + UnloadPage(page); +} + #undef TEST_CASE -- cgit v1.2.3