Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(139)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: core/fxcodec/lbmp/fx_bmp.cpp

Issue 2202283003: Verify row bytes before alloc in BMP codec. (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 PDFium Authors. All rights reserved. 1 // Copyright 2014 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6 6
7 #include "core/fxcodec/lbmp/fx_bmp.h" 7 #include "core/fxcodec/lbmp/fx_bmp.h"
8 8
9 #include <algorithm> 9 #include <algorithm>
10 10
(...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after
206 case 24: 206 case 24:
207 bmp_ptr->out_row_bytes = BMP_WIDTHBYTES(bmp_ptr->width, 24); 207 bmp_ptr->out_row_bytes = BMP_WIDTHBYTES(bmp_ptr->width, 24);
208 bmp_ptr->components = 3; 208 bmp_ptr->components = 3;
209 break; 209 break;
210 case 32: 210 case 32:
211 bmp_ptr->out_row_bytes = bmp_ptr->src_row_bytes; 211 bmp_ptr->out_row_bytes = bmp_ptr->src_row_bytes;
212 bmp_ptr->components = 4; 212 bmp_ptr->components = 4;
213 break; 213 break;
214 } 214 }
215 FX_Free(bmp_ptr->out_row_buffer); 215 FX_Free(bmp_ptr->out_row_buffer);
216
217 if (bmp_ptr->out_row_bytes <= 0) {
218 bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
219 return 0;
220 }
221
216 bmp_ptr->out_row_buffer = FX_Alloc(uint8_t, bmp_ptr->out_row_bytes); 222 bmp_ptr->out_row_buffer = FX_Alloc(uint8_t, bmp_ptr->out_row_bytes);
217 FXSYS_memset(bmp_ptr->out_row_buffer, 0, bmp_ptr->out_row_bytes); 223 FXSYS_memset(bmp_ptr->out_row_buffer, 0, bmp_ptr->out_row_bytes);
218 bmp_save_decoding_status(bmp_ptr, BMP_D_STATUS_PAL); 224 bmp_save_decoding_status(bmp_ptr, BMP_D_STATUS_PAL);
219 } 225 }
220 if (bmp_ptr->decode_status == BMP_D_STATUS_PAL) { 226 if (bmp_ptr->decode_status == BMP_D_STATUS_PAL) {
221 skip_size_org = bmp_ptr->skip_size; 227 skip_size_org = bmp_ptr->skip_size;
222 if (bmp_ptr->compress_flag == BMP_BITFIELDS) { 228 if (bmp_ptr->compress_flag == BMP_BITFIELDS) {
223 if (bmp_ptr->bitCounts != 16 && bmp_ptr->bitCounts != 32) { 229 if (bmp_ptr->bitCounts != 16 && bmp_ptr->bitCounts != 32) {
224 bmp_error(bmp_ptr, "The Bmp File Is Corrupt"); 230 bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
225 return 0; 231 return 0;
(...skipping 698 matching lines...) Expand 10 before | Expand all | Expand 10 after
924 case BMP_RLE4: 930 case BMP_RLE4:
925 bmp_encode_rle4(bmp_ptr, dst_buf, dst_size); 931 bmp_encode_rle4(bmp_ptr, dst_buf, dst_size);
926 break; 932 break;
927 default: 933 default:
928 break; 934 break;
929 } 935 }
930 bmp_ptr->file_header.bfSize = dst_size; 936 bmp_ptr->file_header.bfSize = dst_size;
931 WriteFileHeader(&bmp_ptr->file_header, dst_buf); 937 WriteFileHeader(&bmp_ptr->file_header, dst_buf);
932 return TRUE; 938 return TRUE;
933 } 939 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698