Chromium Code Reviews Chromium Code Reviews
Issue 1379243002:
Fix PNG decoding divide by zero error due to zero row count. (Closed)
Base URL: https://pdfium.googlesource.com/pdfium@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 PDFium Authors. All rights reserved. | 1 // Copyright 2014 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include "../../../../third_party/base/nonstd_unique_ptr.h" | 7 #include "../../../../third_party/base/nonstd_unique_ptr.h" |
| 8 #include "../../../../third_party/zlib_v128/zlib.h" | 8 #include "../../../../third_party/zlib_v128/zlib.h" |
| 9 #include "../../../include/fxcodec/fx_codec.h" | 9 #include "../../../include/fxcodec/fx_codec.h" |
| 10 #include "../../../include/fxcodec/fx_codec_flate.h" | 10 #include "../../../include/fxcodec/fx_codec_flate.h" |
| (...skipping 382 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 393 static FX_BOOL PNG_Predictor(uint8_t*& data_buf, | 393 static FX_BOOL PNG_Predictor(uint8_t*& data_buf, |
| 394 FX_DWORD& data_size, | 394 FX_DWORD& data_size, |
| 395 int Colors, | 395 int Colors, |
| 396 int BitsPerComponent, | 396 int BitsPerComponent, |
| 397 int Columns) { | 397 int Columns) { |
| 398 const int BytesPerPixel = (Colors * BitsPerComponent + 7) / 8; | 398 const int BytesPerPixel = (Colors * BitsPerComponent + 7) / 8; |
| 399 const int row_size = (Colors * BitsPerComponent * Columns + 7) / 8; | 399 const int row_size = (Colors * BitsPerComponent * Columns + 7) / 8; |
| 400 if (row_size <= 0) | 400 if (row_size <= 0) |
| 401 return FALSE; | 401 return FALSE; |
| 402 const int row_count = (data_size + row_size) / (row_size + 1); | 402 const int row_count = (data_size + row_size) / (row_size + 1); |
| 403 if (row_count <= 0) | |
|
Tom Sepez
2015/10/02 16:44:25
Yeah, ok, but this gets better using only unsigned
Lei Zhang
2015/10/02 17:29:31
Acknowledged.
| |
| 404 return FALSE; | |
| 403 const int last_row_size = data_size % (row_size + 1); | 405 const int last_row_size = data_size % (row_size + 1); |
| 404 uint8_t* dest_buf = FX_Alloc2D(uint8_t, row_size, row_count); | 406 uint8_t* dest_buf = FX_Alloc2D(uint8_t, row_size, row_count); |
| 405 int byte_cnt = 0; | 407 int byte_cnt = 0; |
| 406 uint8_t* pSrcData = data_buf; | 408 uint8_t* pSrcData = data_buf; |
| 407 uint8_t* pDestData = dest_buf; | 409 uint8_t* pDestData = dest_buf; |
| 408 for (int row = 0; row < row_count; row++) { | 410 for (int row = 0; row < row_count; row++) { |
| 409 uint8_t tag = pSrcData[0]; | 411 uint8_t tag = pSrcData[0]; |
| 410 byte_cnt++; | 412 byte_cnt++; |
| 411 if (tag == 0) { | 413 if (tag == 0) { |
| 412 int move_size = row_size; | 414 int move_size = row_size; |
| (...skipping 553 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 966 FX_DWORD src_size, | 968 FX_DWORD src_size, |
| 967 uint8_t*& dest_buf, | 969 uint8_t*& dest_buf, |
| 968 FX_DWORD& dest_size) { | 970 FX_DWORD& dest_size) { |
| 969 dest_size = src_size + src_size / 1000 + 12; | 971 dest_size = src_size + src_size / 1000 + 12; |
| 970 dest_buf = FX_Alloc(uint8_t, dest_size); | 972 dest_buf = FX_Alloc(uint8_t, dest_size); |
| 971 unsigned long temp_size = dest_size; | 973 unsigned long temp_size = dest_size; |
| 972 FPDFAPI_FlateCompress(dest_buf, &temp_size, src_buf, src_size); | 974 FPDFAPI_FlateCompress(dest_buf, &temp_size, src_buf, src_size); |
| 973 dest_size = (FX_DWORD)temp_size; | 975 dest_size = (FX_DWORD)temp_size; |
| 974 return TRUE; | 976 return TRUE; |
| 975 } | 977 } |
| OLD | NEW |
