fix 617135

fix 617135


to fix bug 617135
617135 described an exploit against pdfium using a malformed gif.
This fix introduced a couple edge case handling lines to address
the OOB issue.

BUG=617135
Committed: https://pdfium.googlesource.com/pdfium/+/8374fe4a11a513b23297e29d38c376d8cf36e8bf

[hong_zhang, 2016-08-10 01:06:56]

hong_zhang@foxitsoftware.com changed reviewers:
+ ochang@chromium.org, thestig@chromium.org, tsepez@chromium.org

[hong_zhang, 2016-08-10 01:06:57]

Dear all,

This is a foxit attempt to fix bug 617135. Please take a look.

Best Regards,
-Hong

[Lei Zhang, 2016-08-10 14:58:31]

https://codereview.chromium.org/2230683002/diff/1/core/fxcodec/lgif/fx_gif.cpp
File core/fxcodec/lgif/fx_gif.cpp (right):

https://codereview.chromium.org/2230683002/diff/1/core/fxcodec/lgif/fx_gif.cp...
core/fxcodec/lgif/fx_gif.cpp:974: sizeof(s_gif_interlace_step) /
sizeof(int32_t)) {
This can be: FX_ArraySize(s_gif_interlace_step)

[Tom Sepez, 2016-08-10 17:23:22]

LGTM otherwise.

https://codereview.chromium.org/2230683002/diff/1/core/fxcodec/lgif/fx_gif.cpp
File core/fxcodec/lgif/fx_gif.cpp (right):

https://codereview.chromium.org/2230683002/diff/1/core/fxcodec/lgif/fx_gif.cp...
core/fxcodec/lgif/fx_gif.cpp:975: FX_Free(gif_image_ptr->image_row_buf);
Nit: we do this same cleanup in at least 3 places in this function  (928, 975,
995) consider making a helper function as a follow-on.

[hong_zhang, 2016-08-10 18:06:48]

On 2016/08/10 17:23:22, Tom Sepez wrote:
> LGTM otherwise.
> 
> https://codereview.chromium.org/2230683002/diff/1/core/fxcodec/lgif/fx_gif.cpp
> File core/fxcodec/lgif/fx_gif.cpp (right):
> 
>
https://codereview.chromium.org/2230683002/diff/1/core/fxcodec/lgif/fx_gif.cp...
> core/fxcodec/lgif/fx_gif.cpp:975: FX_Free(gif_image_ptr->image_row_buf);
> Nit: we do this same cleanup in at least 3 places in this function  (928, 975,
> 995) consider making a helper function as a follow-on.

Both make sense to me. So my plan is to use the more consistent FX_ method and 
write a helper function for the three appearance. There will be another cl
upload shortly.

[hong_zhang, 2016-08-10 19:06:24]

The CQ bit was checked by hong_zhang@foxitsoftware.com to run a CQ dry run

[commit-bot: I haz the power, 2016-08-10 19:06:28]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-08-10 19:19:17]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-08-10 19:19:18]

Dry run: This issue passed the CQ dry run.

[hong_zhang, 2016-08-10 19:22:03]

Dear all,

I uploaded a second patch set. PTAL.

Best Regards,
-Hong

[Oliver Chang, 2016-08-12 18:38:57]

lgtm

[hong_zhang, 2016-08-12 22:01:18]

The CQ bit was checked by hong_zhang@foxitsoftware.com

[hong_zhang, 2016-08-12 22:01:19]

The patchset sent to the CQ was uploaded after l-g-t-m from tsepez@chromium.org
Link to the patchset: https://codereview.chromium.org/2230683002/#ps20001
(title: "FX_ArraySize and cleanup helper method")

[commit-bot: I haz the power, 2016-08-12 22:01:22]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-08-12 22:16:00]

Description was changed from

==========
fix 617135


to fix bug 617135
617135 described an exploit against pdfium using a malformed gif.
This fix introduced a couple edge case handling lines to address
the OOB issue.

BUG= 617135
==========

to

==========
fix 617135


to fix bug 617135
617135 described an exploit against pdfium using a malformed gif.
This fix introduced a couple edge case handling lines to address
the OOB issue.

BUG= 617135

Committed:
https://pdfium.googlesource.com/pdfium/+/8374fe4a11a513b23297e29d38c376d8cf36...
==========

[commit-bot: I haz the power, 2016-08-12 22:16:01]

Committed patchset #2 (id:20001) as
https://pdfium.googlesource.com/pdfium/+/8374fe4a11a513b23297e29d38c376d8cf36...