Fix a couple of divide by zero crashes in PNG/TIFF predictors.

Fix a couple of divide by zero crashes in PNG/TIFF predictors.

BUG=484002
R=tsepez@chromium.org

Committed: https://pdfium.googlesource.com/pdfium/+/6ab919ff310fb02bab8cf43d92a5553b11cbbb61

[Lei Zhang, 2015-05-04 05:20:42]

Patchset #1 (id:1) has been deleted

[Lei Zhang, 2015-05-04 05:20:57]

thestig@chromium.org changed reviewers:
+ tsepez@chromium.org

[Tom Sepez, 2015-05-04 15:23:12]

https://codereview.chromium.org/1124563002/diff/20001/core/src/fxcodec/codec/...
File core/src/fxcodec/codec/fx_codec_flate.cpp (right):

https://codereview.chromium.org/1124563002/diff/20001/core/src/fxcodec/codec/...
core/src/fxcodec/codec/fx_codec_flate.cpp:236: if (row_size == 0)
what happens after we take this path?  Do we continue with the decode using
uninitialized memory?  My concern is that this might disclose some memory
contents.  Maybe we need a bool return value for errors.

[Lei Zhang, 2015-05-04 23:19:36]

https://codereview.chromium.org/1124563002/diff/20001/core/src/fxcodec/codec/...
File core/src/fxcodec/codec/fx_codec_flate.cpp (right):

https://codereview.chromium.org/1124563002/diff/20001/core/src/fxcodec/codec/...
core/src/fxcodec/codec/fx_codec_flate.cpp:236: if (row_size == 0)
On 2015/05/04 15:23:12, Tom Sepez wrote:
> what happens after we take this path?  Do we continue with the decode using
> uninitialized memory?  My concern is that this might disclose some memory
> contents.  Maybe we need a bool return value for errors.

Done. I forgot that many parameters passed by reference are actually in-out
params. Best to just bail out on error.

[Tom Sepez, 2015-05-06 17:08:11]

lgtm

https://codereview.chromium.org/1124563002/diff/60001/core/src/fxcodec/codec/...
File core/src/fxcodec/codec/fx_codec_flate.cpp (right):

https://codereview.chromium.org/1124563002/diff/60001/core/src/fxcodec/codec/...
core/src/fxcodec/codec/fx_codec_flate.cpp:945: FX_Free(pSrcBuf);
Pity there isn't a way to do this with an unique_ptr.  What do we do in our
other code for cases like this?

[Lei Zhang, 2015-05-06 19:24:16]

https://codereview.chromium.org/1124563002/diff/60001/core/src/fxcodec/codec/...
File core/src/fxcodec/codec/fx_codec_flate.cpp (right):

https://codereview.chromium.org/1124563002/diff/60001/core/src/fxcodec/codec/...
core/src/fxcodec/codec/fx_codec_flate.cpp:945: FX_Free(pSrcBuf);
On 2015/05/06 17:08:11, Tom Sepez wrote:
> Pity there isn't a way to do this with an unique_ptr.  What do we do in our
> other code for cases like this?

unique_ptr can take a custom deleter as the second argument. Let's add one in a
separate CL and use it going forward.

[Lei Zhang, 2015-05-06 19:34:31]

Committed patchset #4 (id:80001) manually as
6ab919ff310fb02bab8cf43d92a5553b11cbbb61 (presubmit successful).