Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(230)

Issue 886953002: Fix heap buffer overflow in CPDF_SampledFunc::v_Call (Closed)

Created:
5 years, 10 months ago by jun_fang
Modified:
5 years, 9 months ago
Reviewers:
Tom Sepez, kai_jing
Base URL:
https://pdfium.googlesource.com/pdfium.git@master
Target Ref:
refs/heads/master
Visibility:
Public.

Description

Fix heap buffer overflow in CPDF_SampledFunc::v_Call This issue was caused by integer overflow in CPDF_SampledFunc::v_Call. The root cause of this issue is that the content in the test pdf file was damaged. The solution is to check whether an integer is overflow before using it. BUG=452455 R=tsepez@chromium.org Committed: https://pdfium.googlesource.com/pdfium/+/7dc63e6c53add27084929ffe52436b7bb6667a80

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+23 lines, -4 lines) Patch
M core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp View 3 chunks +23 lines, -4 lines 0 comments Download

Messages

Total messages: 9 (1 generated)
jun_fang
Hi Tom, please review it. Thanks!
5 years, 10 months ago (2015-01-30 04:46:51 UTC) #2
Tom Sepez
OK, the code is fine, but we should be able to minimize the original input ...
5 years, 10 months ago (2015-01-30 17:32:24 UTC) #3
Tom Sepez
Curious that the caller doesn't check the result at or around fpdf_page_func.cpp:875
5 years, 10 months ago (2015-01-30 17:40:41 UTC) #4
Tom Sepez
On 2015/01/30 17:40:41, Tom Sepez wrote: > Curious that the caller doesn't check the result ...
5 years, 10 months ago (2015-01-30 18:35:04 UTC) #5
jun_fang
On 2015/01/30 17:32:24, Tom Sepez wrote: > OK, the code is fine, but we should ...
5 years, 10 months ago (2015-01-30 18:39:28 UTC) #6
jun_fang
On 2015/01/30 18:35:04, Tom Sepez wrote: > On 2015/01/30 17:40:41, Tom Sepez wrote: > > ...
5 years, 10 months ago (2015-01-30 18:42:33 UTC) #7
Tom Sepez
lgtm
5 years, 10 months ago (2015-01-30 19:18:45 UTC) #8
jun_fang
5 years, 10 months ago (2015-01-31 18:12:58 UTC) #9
Message was sent while issue was closed.
Committed patchset #1 (id:1) manually as
7dc63e6c53add27084929ffe52436b7bb6667a80 (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698