core/src/fxcodec/codec/fx_codec_flate.cpp - Issue 466153005: Fix buffer size offset error in PNG_Predictor

Side by Side Diff: core/src/fxcodec/codec/fx_codec_flate.cpp

Issue 466153005: Fix buffer size offset error in PNG_Predictor (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../fx_zlib.h"	7 #include "../../fx_zlib.h"

8 #include "../../../include/fxcodec/fx_codec.h"	8 #include "../../../include/fxcodec/fx_codec.h"

9 #include "codec_int.h"	9 #include "codec_int.h"

10 extern "C"	10 extern "C"

(...skipping 391 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
402 int move_size = row_size;	402 int move_size = row_size;

403 if ((row + 1) * (move_size + 1) > (int)data_size) {	403 if ((row + 1) * (move_size + 1) > (int)data_size) {

404 move_size = last_row_size - 1;	404 move_size = last_row_size - 1;

405 }	405 }

406 FXSYS_memmove32(pDestData, pSrcData + 1, move_size);	406 FXSYS_memmove32(pDestData, pSrcData + 1, move_size);

407 pSrcData += move_size + 1;	407 pSrcData += move_size + 1;

408 pDestData += move_size;	408 pDestData += move_size;

409 byte_cnt += move_size + 1;	409 byte_cnt += move_size + 1;

410 continue;	410 continue;

411 }	411 }

	412 byte_cnt++;
	Tom Sepez 2014/08/15 16:51:30 nit: As I read this, it would make more sense to m nit: As I read this, it would make more sense to me to put this at line 401, right after the reference to srcData[0]. After all, it is the use of that byte as a tag that is causing the need to increment the byte_cnt. Keeping them together might make this more obvious. Bo Xu 2014/08/15 18:08:10 If put byte_cnt++ on line 401, then when tag==0, l If put byte_cnt++ on line 401, then when tag==0, line 409 has already increment byte_cnt by an offset of 1, so it will be effectively an offset of 2. I think then we have to do byte_cnt += move_size in line 409, right? On 2014/08/15 16:51:30, Tom Sepez wrote: Show quoted text > nit: As I read this, it would make more sense to me to put this at line 401, > right after the reference to srcData[0]. After all, it is the use of that byte > as a tag that is causing the need to increment the byte_cnt. Keeping them > together might make this more obvious. Tom Sepez 2014/08/15 19:02:12 Yep. Good catch. Yep. Good catch.
412 for (int byte = 0; byte < row_size && byte_cnt < (int)data_size; byte ++ ) {	413 for (int byte = 0; byte < row_size && byte_cnt < (int)data_size; byte ++ ) {

413 FX_BYTE raw_byte = pSrcData[byte + 1];	414 FX_BYTE raw_byte = pSrcData[byte + 1];

414 switch (tag) {	415 switch (tag) {

415 case 1: {	416 case 1: {

416 FX_BYTE left = 0;	417 FX_BYTE left = 0;

417 if (byte >= BytesPerPixel) {	418 if (byte >= BytesPerPixel) {

418 left = pDestData[byte - BytesPerPixel];	419 left = pDestData[byte - BytesPerPixel];

419 }	420 }

420 pDestData[byte] = raw_byte + left;	421 pDestData[byte] = raw_byte + left;

421 break;	422 break;

(...skipping 35 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
457 break;	458 break;

458 }	459 }

459 default:	460 default:

460 pDestData[byte] = raw_byte;	461 pDestData[byte] = raw_byte;

461 break;	462 break;

462 }	463 }

463 byte_cnt++;	464 byte_cnt++;

464 }	465 }

465 pSrcData += row_size + 1;	466 pSrcData += row_size + 1;

466 pDestData += row_size;	467 pDestData += row_size;

467 byte_cnt++;

468 }	468 }

469 FX_Free(data_buf);	469 FX_Free(data_buf);

470 data_buf = dest_buf;	470 data_buf = dest_buf;

471 data_size = row_size * row_count - (last_row_size > 0 ? (row_size + 1 - last _row_size) : 0);	471 data_size = row_size * row_count - (last_row_size > 0 ? (row_size + 1 - last _row_size) : 0);

472 }	472 }

473 static void TIFF_PredictorEncodeLine(FX_LPBYTE dest_buf, int row_size, int BitsP erComponent, int Colors, int Columns)	473 static void TIFF_PredictorEncodeLine(FX_LPBYTE dest_buf, int row_size, int BitsP erComponent, int Colors, int Columns)

474 {	474 {

475 int BytesPerPixel = BitsPerComponent * Colors / 8;	475 int BytesPerPixel = BitsPerComponent * Colors / 8;

476 if (BitsPerComponent < 8) {	476 if (BitsPerComponent < 8) {

477 FX_BYTE mask = 0x01;	477 FX_BYTE mask = 0x01;

(...skipping 457 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
935 dest_size = src_size + src_size / 1000 + 12;	935 dest_size = src_size + src_size / 1000 + 12;

936 dest_buf = FX_Alloc( FX_BYTE, dest_size);	936 dest_buf = FX_Alloc( FX_BYTE, dest_size);

937 if (dest_buf == NULL) {	937 if (dest_buf == NULL) {

938 return FALSE;	938 return FALSE;

939 }	939 }

940 unsigned long temp_size = dest_size;	940 unsigned long temp_size = dest_size;

941 FPDFAPI_FlateCompress(dest_buf, &temp_size, src_buf, src_size);	941 FPDFAPI_FlateCompress(dest_buf, &temp_size, src_buf, src_size);

942 dest_size = (FX_DWORD)temp_size;	942 dest_size = (FX_DWORD)temp_size;

943 return TRUE;	943 return TRUE;

944 }	944 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »