core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp - Issue 886953002: Fix heap buffer overflow in CPDF_SampledFunc::v_Call

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp

Issue 886953002: Fix heap buffer overflow in CPDF_SampledFunc::v_Call (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 5 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp

diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp

index 649bd54a339f835974ffad06535ec0b5786579d8..3ceb0f7e8b4de2cb84357b43d7d40182fc5aaada 100644

--- a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp

+++ b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp

@@ -6,6 +6,7 @@

#include "../../../include/fpdfapi/fpdf_page.h"

#include "../../../include/fpdfapi/fpdf_module.h"

+#include "../../../third_party/numerics/safe_conversions_impl.h"

#include "pageint.h"

#include <limits.h>

class CPDF_PSEngine;

@@ -553,13 +554,24 @@ FX_BOOL CPDF_SampledFunc::v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const

}

pos += index[i] * blocksize[i];

}

- int bitpos = pos * m_nBitsPerSample * m_nOutputs;

+ FX_SAFE_INT32 bitpos = pos;

+ bitpos *= m_nBitsPerSample;

+ bitpos *= m_nOutputs;

+ if (!bitpos.IsValid()) {

+ return FALSE;

+ }

FX_LPCBYTE pSampleData = m_pSampleStream->GetData();

if (pSampleData == NULL) {

return FALSE;

}

+ FX_SAFE_INT32 bitpos1 = m_nOutputs - 1 > 0 ? m_nOutputs - 1 : 0;

+ bitpos1 *= m_nBitsPerSample;

+ bitpos1 += bitpos.ValueOrDie();

+ if (!bitpos1.IsValid()) {

+ return FALSE;

+ }

for (int j = 0; j < m_nOutputs; j ++) {

- FX_DWORD sample = _GetBits32(pSampleData, bitpos + j * m_nBitsPerSample, m_nBitsPerSample);

+ FX_DWORD sample = _GetBits32(pSampleData, bitpos.ValueOrDie() + j * m_nBitsPerSample, m_nBitsPerSample);

FX_FLOAT encoded = (FX_FLOAT)sample;

for (int i = 0; i < m_nInputs; i ++) {

if (index[i] == m_pEncodeInfo[i].sizes - 1) {

@@ -567,8 +579,15 @@ FX_BOOL CPDF_SampledFunc::v_Call(FX_FLOAT* inputs, FX_FLOAT* results) const

encoded = encoded_input[i] * (FX_FLOAT)sample;

}

} else {

- int bitpos1 = bitpos + m_nBitsPerSample * m_nOutputs * blocksize[i];

- FX_DWORD sample1 = _GetBits32(pSampleData, bitpos1 + j * m_nBitsPerSample, m_nBitsPerSample);

+ FX_SAFE_INT32 bitpos2 = blocksize[i];

+ bitpos2 += 1;

+ bitpos2 *= m_nBitsPerSample;

+ bitpos2 *= m_nOutputs;

+ bitpos2 += bitpos.ValueOrDie();

+ if (!bitpos2.IsValid()) {

+ return FALSE;

+ }

+ FX_DWORD sample1 = _GetBits32(pSampleData, bitpos2.ValueOrDie(), m_nBitsPerSample);

encoded += (encoded_input[i] - index[i]) * ((FX_FLOAT)sample1 - (FX_FLOAT)sample);

}

« no previous file with comments | « no previous file | no next file » | no next file with comments »