core/src/fxcodec/codec/fx_codec_flate.cpp - Issue 1124563002: Fix a couple of divide by zero crashes in PNG/TIFF predictors.

Side by Side Diff: core/src/fxcodec/codec/fx_codec_flate.cpp

Issue 1124563002: Fix a couple of divide by zero crashes in PNG/TIFF predictors. (Closed) Base URL: https://pdfium.googlesource.com/pdfium@master

Patch Set: Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../fx_zlib.h"	7 #include "../../fx_zlib.h"

8 #include "../../../include/fxcodec/fx_codec.h"	8 #include "../../../include/fxcodec/fx_codec.h"

9 #include "codec_int.h"	9 #include "codec_int.h"

10 extern "C"	10 extern "C"

(...skipping 215 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
226 }	226 }

227 if (pb <= pc) {	227 if (pb <= pc) {

228 return (FX_BYTE)b;	228 return (FX_BYTE)b;

229 }	229 }

230 return (FX_BYTE)c;	230 return (FX_BYTE)c;

231 }	231 }

232 static void PNG_PredictorEncode(FX_LPBYTE& data_buf, FX_DWORD& data_size, int pr edictor, int Colors, int BitsPerComponent, int Columns)	232 static void PNG_PredictorEncode(FX_LPBYTE& data_buf, FX_DWORD& data_size, int pr edictor, int Colors, int BitsPerComponent, int Columns)

233 {	233 {

234 int BytesPerPixel = (Colors * BitsPerComponent + 7) / 8;	234 int BytesPerPixel = (Colors * BitsPerComponent + 7) / 8;

235 int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;	235 int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;

	236 if (row_size == 0)
	Tom Sepez 2015/05/04 15:23:12 what happens after we take this path? Do we conti what happens after we take this path? Do we continue with the decode using uninitialized memory? My concern is that this might disclose some memory contents. Maybe we need a bool return value for errors. Lei Zhang 2015/05/04 23:19:36 Done. I forgot that many parameters passed by refe Show quoted text On 2015/05/04 15:23:12, Tom Sepez wrote: > what happens after we take this path? Do we continue with the decode using > uninitialized memory? My concern is that this might disclose some memory > contents. Maybe we need a bool return value for errors. Done. I forgot that many parameters passed by reference are actually in-out params. Best to just bail out on error.
	237 return;

236 int row_count = (data_size + row_size - 1) / row_size;	238 int row_count = (data_size + row_size - 1) / row_size;

237 int last_row_size = data_size % row_size;	239 int last_row_size = data_size % row_size;

238 FX_LPBYTE dest_buf = FX_Alloc( FX_BYTE, (row_size + 1) * row_count);	240 FX_LPBYTE dest_buf = FX_Alloc( FX_BYTE, (row_size + 1) * row_count);

239 if (dest_buf == NULL) {	241 if (dest_buf == NULL) {

240 return;	242 return;

241 }	243 }

242 int byte_cnt = 0;	244 int byte_cnt = 0;

243 FX_LPBYTE pSrcData = data_buf;	245 FX_LPBYTE pSrcData = data_buf;

244 FX_LPBYTE pDestData = dest_buf;	246 FX_LPBYTE pDestData = dest_buf;

245 for (int row = 0; row < row_count; row++) {	247 for (int row = 0; row < row_count; row++) {

(...skipping 305 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
551 } else {	553 } else {

552 for (int i = BytesPerPixel; i < row_size; i ++) {	554 for (int i = BytesPerPixel; i < row_size; i ++) {

553 dest_buf[i] += dest_buf[i - BytesPerPixel];	555 dest_buf[i] += dest_buf[i - BytesPerPixel];

554 }	556 }

555 }	557 }

556 }	558 }

557 static void TIFF_Predictor(FX_LPBYTE& data_buf, FX_DWORD& data_size,	559 static void TIFF_Predictor(FX_LPBYTE& data_buf, FX_DWORD& data_size,

558 int Colors, int BitsPerComponent, int Columns)	560 int Colors, int BitsPerComponent, int Columns)

559 {	561 {

560 int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;	562 int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;

	563 if (row_size == 0)

	564 return;

561 int row_count = (data_size + row_size - 1) / row_size;	565 int row_count = (data_size + row_size - 1) / row_size;

562 int last_row_size = data_size % row_size;	566 int last_row_size = data_size % row_size;

563 for (int row = 0; row < row_count; row ++) {	567 for (int row = 0; row < row_count; row ++) {

564 FX_LPBYTE scan_line = data_buf + row * row_size;	568 FX_LPBYTE scan_line = data_buf + row * row_size;

565 if ((row + 1) * row_size > (int)data_size) {	569 if ((row + 1) * row_size > (int)data_size) {

566 row_size = last_row_size;	570 row_size = last_row_size;

567 }	571 }

568 TIFF_PredictLine(scan_line, row_size, BitsPerComponent, Colors, Columns) ;	572 TIFF_PredictLine(scan_line, row_size, BitsPerComponent, Colors, Columns) ;

569 }	573 }

570 }	574 }

(...skipping 357 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
928 dest_size = src_size + src_size / 1000 + 12;	932 dest_size = src_size + src_size / 1000 + 12;

929 dest_buf = FX_Alloc( FX_BYTE, dest_size);	933 dest_buf = FX_Alloc( FX_BYTE, dest_size);

930 if (dest_buf == NULL) {	934 if (dest_buf == NULL) {

931 return FALSE;	935 return FALSE;

932 }	936 }

933 unsigned long temp_size = dest_size;	937 unsigned long temp_size = dest_size;

934 FPDFAPI_FlateCompress(dest_buf, &temp_size, src_buf, src_size);	938 FPDFAPI_FlateCompress(dest_buf, &temp_size, src_buf, src_size);

935 dest_size = (FX_DWORD)temp_size;	939 dest_size = (FX_DWORD)temp_size;

936 return TRUE;	940 return TRUE;

937 }	941 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »