From f768baf129fcafc4342193477e0c41c082ef5ca5 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Fri, 14 Jul 2017 16:39:39 -0400 Subject: Let CPDF_MeshStream::ReadVertexRow return a vector In this CL, CPDF_MeshStream::ReadVertexRow returns a vector. The vector size is not allocated in advance to prevent OOM attacks, since the size is given as an input to the PDF. Bug: chromium:735248 Change-Id: I3e2b020896f24715af5dfd9aa18768e6d64d6f76 Reviewed-on: https://pdfium-review.googlesource.com/7950 Commit-Queue: dsinclair Reviewed-by: dsinclair --- core/fpdfapi/page/cpdf_meshstream.cpp | 21 ++++++++++++--------- core/fpdfapi/page/cpdf_meshstream.h | 5 ++--- core/fpdfapi/render/cpdf_renderstatus.cpp | 21 ++++++++++----------- 3 files changed, 24 insertions(+), 23 deletions(-) (limited to 'core') diff --git a/core/fpdfapi/page/cpdf_meshstream.cpp b/core/fpdfapi/page/cpdf_meshstream.cpp index 7a6228a25b..8588734d95 100644 --- a/core/fpdfapi/page/cpdf_meshstream.cpp +++ b/core/fpdfapi/page/cpdf_meshstream.cpp @@ -242,19 +242,22 @@ bool CPDF_MeshStream::ReadVertex(const CFX_Matrix& pObject2Bitmap, return true; } -bool CPDF_MeshStream::ReadVertexRow(const CFX_Matrix& pObject2Bitmap, - int count, - CPDF_MeshVertex* vertex) { - for (int i = 0; i < count; i++) { +std::vector CPDF_MeshStream::ReadVertexRow( + const CFX_Matrix& pObject2Bitmap, + int count) { + std::vector vertices; + for (int i = 0; i < count; ++i) { if (m_BitStream.IsEOF() || !CanReadCoords()) - return false; + return std::vector(); - vertex[i].position = pObject2Bitmap.Transform(ReadCoords()); + vertices.push_back(CPDF_MeshVertex()); + CPDF_MeshVertex& vertex = vertices.back(); + vertex.position = pObject2Bitmap.Transform(ReadCoords()); if (!CanReadColor()) - return false; + return std::vector(); - std::tie(vertex[i].r, vertex[i].g, vertex[i].b) = ReadColor(); + std::tie(vertex.r, vertex.g, vertex.b) = ReadColor(); m_BitStream.ByteAlign(); } - return true; + return vertices; } diff --git a/core/fpdfapi/page/cpdf_meshstream.h b/core/fpdfapi/page/cpdf_meshstream.h index af636a964d..60c47790a4 100644 --- a/core/fpdfapi/page/cpdf_meshstream.h +++ b/core/fpdfapi/page/cpdf_meshstream.h @@ -54,9 +54,8 @@ class CPDF_MeshStream { bool ReadVertex(const CFX_Matrix& pObject2Bitmap, CPDF_MeshVertex* vertex, uint32_t* flag); - bool ReadVertexRow(const CFX_Matrix& pObject2Bitmap, - int count, - CPDF_MeshVertex* vertex); + std::vector ReadVertexRow(const CFX_Matrix& pObject2Bitmap, + int count); CFX_BitStream* BitStream() { return &m_BitStream; } uint32_t ComponentBits() const { return m_nComponentBits; } diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp index ccbe39ea07..e033f26093 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.cpp +++ b/core/fpdfapi/render/cpdf_renderstatus.cpp @@ -527,25 +527,24 @@ void DrawLatticeGouraudShading( if (!stream.Load()) return; - std::unique_ptr vertex( - FX_Alloc2D(CPDF_MeshVertex, row_verts, 2)); - if (!stream.ReadVertexRow(*pObject2Bitmap, row_verts, vertex.get())) + std::vector vertices[2]; + vertices[0] = stream.ReadVertexRow(*pObject2Bitmap, row_verts); + if (vertices[0].empty()) return; int last_index = 0; while (1) { - CPDF_MeshVertex* last_row = vertex.get() + last_index * row_verts; - CPDF_MeshVertex* this_row = vertex.get() + (1 - last_index) * row_verts; - if (!stream.ReadVertexRow(*pObject2Bitmap, row_verts, this_row)) + vertices[1 - last_index] = stream.ReadVertexRow(*pObject2Bitmap, row_verts); + if (vertices[1 - last_index].empty()) return; CPDF_MeshVertex triangle[3]; - for (int i = 1; i < row_verts; i++) { - triangle[0] = last_row[i]; - triangle[1] = this_row[i - 1]; - triangle[2] = last_row[i - 1]; + for (int i = 1; i < row_verts; ++i) { + triangle[0] = vertices[last_index][i]; + triangle[1] = vertices[1 - last_index][i - 1]; + triangle[2] = vertices[last_index][i - 1]; DrawGouraud(pBitmap, alpha, triangle); - triangle[2] = this_row[i]; + triangle[2] = vertices[1 - last_index][i]; DrawGouraud(pBitmap, alpha, triangle); } last_index = 1 - last_index; -- cgit v1.2.3