core/src/fxcodec/codec/fx_codec_jpx_opj.cpp - Issue 489703004: Bounds check before fixed-size memcmp() in CJPX_Decoder::Init().

Side by Side Diff: core/src/fxcodec/codec/fx_codec_jpx_opj.cpp

Issue 489703004: Bounds check before fixed-size memcmp() in CJPX_Decoder::Init(). (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../../include/fxcodec/fx_codec.h"	7 #include "../../../include/fxcodec/fx_codec.h"

8 #include "codec_int.h"	8 #include "codec_int.h"

9 #include "../fx_libopenjpeg/libopenjpeg20/openjpeg.h"	9 #include "../fx_libopenjpeg/libopenjpeg20/openjpeg.h"

10 #include "../lcms2/include/fx_lcms2.h"	10 #include "../lcms2/include/fx_lcms2.h"

(...skipping 563 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
574 }	574 }

575 if(l_stream) {	575 if(l_stream) {

576 opj_stream_destroy(l_stream);	576 opj_stream_destroy(l_stream);

577 }	577 }

578 if(image) {	578 if(image) {

579 opj_image_destroy(image);	579 opj_image_destroy(image);

580 }	580 }

581 }	581 }

582 FX_BOOL CJPX_Decoder::Init(const unsigned char* src_data, int src_size)	582 FX_BOOL CJPX_Decoder::Init(const unsigned char* src_data, int src_size)

583 {	583 {

584 opj_dparameters_t parameters;	584 opj_dparameters_t parameters;
	jun_fang 2014/08/26 21:48:09 if (!src_data \|\| src_size <= 0) { return FALSE if (!src_data \|\| src_size <= 0) { return FALSE; } jun_fang 2014/08/26 22:01:17 We can define an array to save the string "\x00\x0 Show quoted text On 2014/08/26 21:48:09, jun_fang wrote: > if (!src_data \|\| src_size <= 0) { > return FALSE; > } We can define an array to save the string "\x00\x00\x00\x0c\x6a\x50\x20\x20\x0d\x0a\x87\x0a" here and check: char szJP2Header[] = {'\x00','\x00', '\x00','\x0c','\x6a','\x50','\x20','\x20','\x0d','\x0a','\x87','\x0a'}; if (!src_data \|\| src_size <= sizeof(szJP2Header)/sizeof(char)) { return FALSE; }
585 image = NULL;	585 image = NULL;

586 m_SrcData = src_data;	586 m_SrcData = src_data;

587 m_SrcSize = src_size;	587 m_SrcSize = src_size;

588 decodeData srcData;	588 decodeData srcData;

589 srcData.offset = 0;	589 srcData.offset = 0;

590 srcData.src_size = src_size;	590 srcData.src_size = src_size;

591 srcData.src_data = src_data;	591 srcData.src_data = src_data;

592 l_stream = fx_opj_stream_create_memory_stream(&srcData, OPJ_J2K_STREAM_CHUNK _SIZE, 1);	592 l_stream = fx_opj_stream_create_memory_stream(&srcData, OPJ_J2K_STREAM_CHUNK _SIZE, 1);

593 if (l_stream == NULL) {	593 if (l_stream == NULL) {

594 return FALSE;	594 return FALSE;

595 }	595 }

596 opj_set_default_decoder_parameters(&parameters);	596 opj_set_default_decoder_parameters(&parameters);

597 parameters.decod_format = 0;	597 parameters.decod_format = 0;

598 parameters.cod_format = 3;	598 parameters.cod_format = 3;

599 if(FXSYS_memcmp32(m_SrcData, "\x00\x00\x00\x0c\x6a\x50\x20\x20\x0d\x0a\x87\x 0a", 12) == 0) {	599 if(m_SrcSize >= 12 && FXSYS_memcmp32(m_SrcData, "\x00\x00\x00\x0c\x6a\x50\x2 0\x20\x0d\x0a\x87\x0a", 12) == 0) {
	jun_fang 2014/08/26 21:48:09 1. Define an array to save the string "\x00\x00\x0 1. Define an array to save the string "\x00\x00\x00\x0c\x6a\x50\x2 0\x20\x0d\x0a\x87\x0a". This array's name can be szJP2Header. 2. Use sizeof(arrary_name) to replace '12' that is a magic number.
600 l_codec = opj_create_decompress(OPJ_CODEC_JP2);	600 l_codec = opj_create_decompress(OPJ_CODEC_JP2);

601 parameters.decod_format = 1;	601 parameters.decod_format = 1;

602 } else {	602 } else {

603 l_codec = opj_create_decompress(OPJ_CODEC_J2K);	603 l_codec = opj_create_decompress(OPJ_CODEC_J2K);

604 }	604 }

605 if(!l_codec) {	605 if(!l_codec) {

606 return FALSE;	606 return FALSE;

607 }	607 }

608 opj_set_info_handler(l_codec, fx_info_callback, 00);	608 opj_set_info_handler(l_codec, fx_info_callback, 00);

609 opj_set_warning_handler(l_codec, fx_warning_callback, 00);	609 opj_set_warning_handler(l_codec, fx_warning_callback, 00);

(...skipping 172 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
782 FX_BOOL CCodec_JpxModule::Decode(void* ctx, FX_LPBYTE dest_data, int pitch, FX_B OOL bTranslateColor, FX_LPBYTE offsets)	782 FX_BOOL CCodec_JpxModule::Decode(void* ctx, FX_LPBYTE dest_data, int pitch, FX_B OOL bTranslateColor, FX_LPBYTE offsets)

783 {	783 {

784 CJPX_Decoder* pDecoder = (CJPX_Decoder*)ctx;	784 CJPX_Decoder* pDecoder = (CJPX_Decoder*)ctx;

785 return pDecoder->Decode(dest_data, pitch, bTranslateColor, offsets);	785 return pDecoder->Decode(dest_data, pitch, bTranslateColor, offsets);

786 }	786 }

787 void CCodec_JpxModule::DestroyDecoder(void* ctx)	787 void CCodec_JpxModule::DestroyDecoder(void* ctx)

788 {	788 {

789 CJPX_Decoder* pDecoder = (CJPX_Decoder*)ctx;	789 CJPX_Decoder* pDecoder = (CJPX_Decoder*)ctx;

790 delete pDecoder;	790 delete pDecoder;

791 }	791 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »