Chromium Code Reviews Chromium Code Reviews
Issue 1305033006:
Guard against null image data in CJBig2_GRRDProc. (Closed)
Base URL: https://pdfium.googlesource.com/pdfium@b514891_clean_aaa_cobject_rm2| OLD | NEW |
|---|---|
| 1 // Copyright 2014 PDFium Authors. All rights reserved. | 1 // Copyright 2014 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include <list> | 7 #include <list> |
| 8 #include "JBig2_Context.h" | 8 #include "JBig2_Context.h" |
| 9 | 9 |
| 10 // Implement a very small least recently used (LRU) cache. It is very | 10 // Implement a very small least recently used (LRU) cache. It is very |
| (...skipping 384 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 395 } | 395 } |
| 396 if (m_pStream->readInteger(&pSegment->m_dwData_length) != 0) { | 396 if (m_pStream->readInteger(&pSegment->m_dwData_length) != 0) { |
| 397 goto failed; | 397 goto failed; |
| 398 } | 398 } |
| 399 pSegment->m_pData = m_pStream->getPointer(); | 399 pSegment->m_pData = m_pStream->getPointer(); |
| 400 pSegment->m_State = JBIG2_SEGMENT_DATA_UNPARSED; | 400 pSegment->m_State = JBIG2_SEGMENT_DATA_UNPARSED; |
| 401 return JBIG2_SUCCESS; | 401 return JBIG2_SUCCESS; |
| 402 failed: | 402 failed: |
| 403 return JBIG2_ERROR_TOO_SHORT; | 403 return JBIG2_ERROR_TOO_SHORT; |
| 404 } | 404 } |
| 405 | |
| 405 int32_t CJBig2_Context::parseSegmentData(CJBig2_Segment* pSegment, | 406 int32_t CJBig2_Context::parseSegmentData(CJBig2_Segment* pSegment, |
| 406 IFX_Pause* pPause) { | 407 IFX_Pause* pPause) { |
| 407 int32_t ret = ProcessiveParseSegmentData(pSegment, pPause); | 408 int32_t ret = ProcessiveParseSegmentData(pSegment, pPause); |
| 408 while (m_ProcessiveStatus == FXCODEC_STATUS_DECODE_TOBECONTINUE && | 409 while (m_ProcessiveStatus == FXCODEC_STATUS_DECODE_TOBECONTINUE && |
| 409 m_pStream->getByteLeft() > 0) { | 410 m_pStream->getByteLeft() > 0) { |
| 410 ret = ProcessiveParseSegmentData(pSegment, pPause); | 411 ret = ProcessiveParseSegmentData(pSegment, pPause); |
| 411 } | 412 } |
| 412 return ret; | 413 return ret; |
| 413 } | 414 } |
| 415 | |
| 414 int32_t CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment* pSegment, | 416 int32_t CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment* pSegment, |
| 415 IFX_Pause* pPause) { | 417 IFX_Pause* pPause) { |
| 416 switch (pSegment->m_cFlags.s.type) { | 418 switch (pSegment->m_cFlags.s.type) { |
| 417 case 0: | 419 case 0: |
| 418 return parseSymbolDict(pSegment, pPause); | 420 return parseSymbolDict(pSegment, pPause); |
| 419 case 4: | 421 case 4: |
| 420 case 6: | 422 case 6: |
| 421 case 7: | 423 case 7: |
| 422 if (m_nState == JBIG2_OUT_OF_PAGE) { | 424 if (m_nState == JBIG2_OUT_OF_PAGE) |
| 423 goto failed2; | 425 return JBIG2_ERROR_FATAL; |
| 424 } else { | 426 return parseTextRegion(pSegment); |
| 425 return parseTextRegion(pSegment); | |
| 426 } | |
| 427 case 16: | 427 case 16: |
| 428 return parsePatternDict(pSegment, pPause); | 428 return parsePatternDict(pSegment, pPause); |
| 429 case 20: | 429 case 20: |
| 430 case 22: | 430 case 22: |
| 431 case 23: | 431 case 23: |
| 432 if (m_nState == JBIG2_OUT_OF_PAGE) { | 432 if (m_nState == JBIG2_OUT_OF_PAGE) |
| 433 goto failed2; | 433 return JBIG2_ERROR_FATAL; |
| 434 } else { | 434 return parseHalftoneRegion(pSegment, pPause); |
| 435 return parseHalftoneRegion(pSegment, pPause); | |
| 436 } | |
| 437 case 36: | 435 case 36: |
| 438 case 38: | 436 case 38: |
| 439 case 39: | 437 case 39: |
| 440 if (m_nState == JBIG2_OUT_OF_PAGE) { | 438 if (m_nState == JBIG2_OUT_OF_PAGE) |
| 441 goto failed2; | 439 return JBIG2_ERROR_FATAL; |
| 442 } else { | 440 return parseGenericRegion(pSegment, pPause); |
| 443 return parseGenericRegion(pSegment, pPause); | |
| 444 } | |
| 445 case 40: | 441 case 40: |
| 446 case 42: | 442 case 42: |
| 447 case 43: | 443 case 43: |
| 448 if (m_nState == JBIG2_OUT_OF_PAGE) { | 444 if (m_nState == JBIG2_OUT_OF_PAGE) |
| 449 goto failed2; | 445 return JBIG2_ERROR_FATAL; |
| 450 } else { | 446 return parseGenericRefinementRegion(pSegment); |
| 451 return parseGenericRefinementRegion(pSegment); | |
| 452 } | |
| 453 case 48: { | 447 case 48: { |
| 454 FX_WORD wTemp; | 448 FX_WORD wTemp; |
| 455 nonstd::unique_ptr<JBig2PageInfo> pPageInfo(new JBig2PageInfo); | 449 nonstd::unique_ptr<JBig2PageInfo> pPageInfo(new JBig2PageInfo); |
| 456 if ((m_pStream->readInteger(&pPageInfo->m_dwWidth) != 0) || | 450 if ((m_pStream->readInteger(&pPageInfo->m_dwWidth) != 0) || |
| 457 (m_pStream->readInteger(&pPageInfo->m_dwHeight) != 0) || | 451 (m_pStream->readInteger(&pPageInfo->m_dwHeight) != 0) || |
| 458 (m_pStream->readInteger(&pPageInfo->m_dwResolutionX) != 0) || | 452 (m_pStream->readInteger(&pPageInfo->m_dwResolutionX) != 0) || |
| 459 (m_pStream->readInteger(&pPageInfo->m_dwResolutionY) != 0) || | 453 (m_pStream->readInteger(&pPageInfo->m_dwResolutionY) != 0) || |
| 460 (m_pStream->read1Byte(&pPageInfo->m_cFlags) != 0) || | 454 (m_pStream->read1Byte(&pPageInfo->m_cFlags) != 0) || |
| 461 (m_pStream->readShortInteger(&wTemp) != 0)) { | 455 (m_pStream->readShortInteger(&wTemp) != 0)) { |
| 462 goto failed1; | 456 return JBIG2_ERROR_TOO_SHORT; |
| 463 } | 457 } |
| 464 pPageInfo->m_bIsStriped = ((wTemp >> 15) & 1) ? 1 : 0; | 458 pPageInfo->m_bIsStriped = ((wTemp >> 15) & 1) ? TRUE : FALSE; |
| 465 pPageInfo->m_wMaxStripeSize = wTemp & 0x7fff; | 459 pPageInfo->m_wMaxStripeSize = wTemp & 0x7fff; |
| 466 if ((pPageInfo->m_dwHeight == 0xffffffff) && | 460 bool bMaxHeight = (pPageInfo->m_dwHeight == 0xffffffff); |
| 467 (pPageInfo->m_bIsStriped != TRUE)) { | 461 if (bMaxHeight && pPageInfo->m_bIsStriped != TRUE) |
| 468 pPageInfo->m_bIsStriped = TRUE; | 462 pPageInfo->m_bIsStriped = TRUE; |
| 469 } | 463 |
| 470 if (!m_bBufSpecified) { | 464 if (!m_bBufSpecified) { |
| 471 delete m_pPage; | 465 delete m_pPage; |
| 472 if (pPageInfo->m_dwHeight == 0xffffffff) { | 466 FX_DWORD height = |
| 473 m_pPage = new CJBig2_Image(pPageInfo->m_dwWidth, | 467 bMaxHeight ? pPageInfo->m_wMaxStripeSize : pPageInfo->m_dwHeight; |
| 474 pPageInfo->m_wMaxStripeSize); | 468 m_pPage = new CJBig2_Image(pPageInfo->m_dwWidth, height); |
| 475 } else { | |
| 476 m_pPage = | |
| 477 new CJBig2_Image(pPageInfo->m_dwWidth, pPageInfo->m_dwHeight); | |
| 478 } | |
| 479 } | 469 } |
| 470 | |
| 471 if (!m_pPage->m_pData) { | |
| 472 m_ProcessiveStatus = FXCODEC_STATUS_ERROR; | |
|
Lei Zhang
2015/09/09 23:41:07
This will make CJBig2_Context::parseSegmentData()
| |
| 473 return JBIG2_ERROR_TOO_SHORT; | |
| 474 } | |
| 475 | |
| 480 m_pPage->fill((pPageInfo->m_cFlags & 4) ? 1 : 0); | 476 m_pPage->fill((pPageInfo->m_cFlags & 4) ? 1 : 0); |
| 481 m_PageInfoList.push_back(pPageInfo.release()); | 477 m_PageInfoList.push_back(pPageInfo.release()); |
| 482 m_nState = JBIG2_IN_PAGE; | 478 m_nState = JBIG2_IN_PAGE; |
| 483 } break; | 479 } break; |
| 484 case 49: | 480 case 49: |
| 485 m_nState = JBIG2_OUT_OF_PAGE; | 481 m_nState = JBIG2_OUT_OF_PAGE; |
| 486 return JBIG2_END_OF_PAGE; | 482 return JBIG2_END_OF_PAGE; |
| 487 break; | 483 break; |
| 488 case 50: | 484 case 50: |
| 489 m_pStream->offset(pSegment->m_dwData_length); | 485 m_pStream->offset(pSegment->m_dwData_length); |
| 490 break; | 486 break; |
| 491 case 51: | 487 case 51: |
| 492 return JBIG2_END_OF_FILE; | 488 return JBIG2_END_OF_FILE; |
| 493 case 52: | 489 case 52: |
| 494 m_pStream->offset(pSegment->m_dwData_length); | 490 m_pStream->offset(pSegment->m_dwData_length); |
| 495 break; | 491 break; |
| 496 case 53: | 492 case 53: |
| 497 return parseTable(pSegment); | 493 return parseTable(pSegment); |
| 498 case 62: | 494 case 62: |
| 499 m_pStream->offset(pSegment->m_dwData_length); | 495 m_pStream->offset(pSegment->m_dwData_length); |
| 500 break; | 496 break; |
| 501 default: | 497 default: |
| 502 break; | 498 break; |
| 503 } | 499 } |
| 504 return JBIG2_SUCCESS; | 500 return JBIG2_SUCCESS; |
| 505 failed1: | |
| 506 return JBIG2_ERROR_TOO_SHORT; | |
| 507 failed2: | |
| 508 return JBIG2_ERROR_FATAL; | |
| 509 } | 501 } |
| 502 | |
| 510 int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment, | 503 int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment, |
| 511 IFX_Pause* pPause) { | 504 IFX_Pause* pPause) { |
| 512 FX_DWORD dwTemp; | 505 FX_DWORD dwTemp; |
| 513 FX_WORD wFlags; | 506 FX_WORD wFlags; |
| 514 uint8_t cSDHUFFDH, cSDHUFFDW, cSDHUFFBMSIZE, cSDHUFFAGGINST; | 507 uint8_t cSDHUFFDH, cSDHUFFDW, cSDHUFFBMSIZE, cSDHUFFAGGINST; |
| 515 CJBig2_HuffmanTable *Table_B1 = NULL, *Table_B2 = NULL, *Table_B3 = NULL, | 508 CJBig2_HuffmanTable *Table_B1 = NULL, *Table_B2 = NULL, *Table_B3 = NULL, |
| 516 *Table_B4 = NULL, *Table_B5 = NULL; | 509 *Table_B4 = NULL, *Table_B5 = NULL; |
| 517 int32_t i, nIndex, nRet; | 510 int32_t i, nIndex, nRet; |
| 518 CJBig2_Segment *pSeg = NULL, *pLRSeg = NULL; | 511 CJBig2_Segment *pSeg = NULL, *pLRSeg = NULL; |
| 519 FX_BOOL bUsed; | 512 FX_BOOL bUsed; |
| (...skipping 1121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1641 SBSYMCODES[CURTEMP].code = CURCODE; | 1634 SBSYMCODES[CURTEMP].code = CURCODE; |
| 1642 CURCODE = CURCODE + 1; | 1635 CURCODE = CURCODE + 1; |
| 1643 } | 1636 } |
| 1644 CURTEMP = CURTEMP + 1; | 1637 CURTEMP = CURTEMP + 1; |
| 1645 } | 1638 } |
| 1646 CURLEN = CURLEN + 1; | 1639 CURLEN = CURLEN + 1; |
| 1647 } | 1640 } |
| 1648 FX_Free(LENCOUNT); | 1641 FX_Free(LENCOUNT); |
| 1649 FX_Free(FIRSTCODE); | 1642 FX_Free(FIRSTCODE); |
| 1650 } | 1643 } |
| OLD | NEW |
