From 6c67da092ce8bb384f60e2eae32e18b7283ae76e Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Wed, 7 Feb 2018 20:00:25 +0000
Subject: Check that request sizes in ReadData don't overflow

When a very large, bogus value, was being passed in for the number of
bytes to read, this could cause an overflow in the check for if there
is data available.

BUG=chromium:809824

Change-Id: I54af6655b61d39275f3ae6fabb27be2bee3fef05
Reviewed-on: https://pdfium-review.googlesource.com/25871
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
---
 core/fxcodec/bmp/cfx_bmpdecompressor.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'core')

diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
index d5d96de65d..191df8e29a 100644
--- a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
+++ b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
@@ -12,6 +12,7 @@
 #include "core/fxcodec/bmp/cfx_bmpcontext.h"
 #include "core/fxcrt/fx_system.h"
 #include "third_party/base/logging.h"
+#include "third_party/base/numerics/safe_math.h"
 #include "third_party/base/ptr_util.h"
 
 namespace {
@@ -629,12 +630,14 @@ int32_t CFX_BmpDecompressor::DecodeRLE4() {
   NOTREACHED();
 }
 
-uint8_t* CFX_BmpDecompressor::ReadData(uint8_t** des_buf, uint32_t data_size_) {
-  if (avail_in_ < skip_size_ + data_size_)
+uint8_t* CFX_BmpDecompressor::ReadData(uint8_t** des_buf, uint32_t data_size) {
+  pdfium::base::CheckedNumeric<uint32_t> request_size = data_size;
+  request_size += skip_size_;
+  if (!request_size.IsValid() || avail_in_ < request_size.ValueOrDie())
     return nullptr;
 
   *des_buf = next_in_ + skip_size_;
-  skip_size_ += data_size_;
+  skip_size_ += data_size;
   return *des_buf;
 }
 
-- 
cgit v1.2.3