Issue 892553002: Fix JPX image rendering that regressed due to several security fixes.

Lei Zhang

thestig@chromium.org changed reviewers: + jun_fang@foxitsoftware.com, tsepez@chromium.org

5 years, 10 months ago (2015-01-30 06:43:57 UTC) #1

Lei Zhang

Warning: I don't really understand this code, so please review carefully. https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (left): ...

5 years, 10 months ago (2015-01-30 06:43:58 UTC) #2

Tom Sepez

Do you have sample images for use in tests? https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (left): https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp#oldcode317 core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:317: ...

5 years, 10 months ago (2015-01-30 17:25:29 UTC) #3

Lei Zhang

https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (left): https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp#oldcode317 core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:317: if (m_bpc == 0 || m_nComponents == 0) { ...

5 years, 10 months ago (2015-01-30 23:00:07 UTC) #4

Tom Sepez

Feels like the right thing to do is to set m_bpc earlier, then we wouldn't ...

5 years, 10 months ago (2015-01-30 23:08:25 UTC) #5

Lei Zhang

On 2015/01/30 23:08:25, Tom Sepez wrote: > Feels like the right thing to do is ...

5 years, 10 months ago (2015-01-31 01:47:51 UTC) #6

Lei Zhang

Jun, BTW, do you have test cases for JPX images? I feel we should not ...

5 years, 10 months ago (2015-01-31 02:12:33 UTC) #7

jun_fang

https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (left): https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp#oldcode317 core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:317: if (m_bpc == 0 || m_nComponents == 0) { ...

5 years, 10 months ago (2015-01-31 04:29:22 UTC) #8

https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render...
File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (left):

https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render...
core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:317: if (m_bpc == 0 ||
m_nComponents == 0) {
On 2015/01/30 23:00:07, Lei Zhang wrote:
> On 2015/01/30 17:25:29, Tom Sepez wrote:
> > From the original review, I asked the question and got the answer:
> > 
> > > We continue execution here in the old code in this case. Why do we want to
> > > short-circuit the calls below? Is this the comparison from line 221 of the
> old
> > > file moved up here?
> > 
> > You can find |FX_DWORD src_pitch = m_bpc;| at line 178 of original code. if
> > |m_bpc| is 0, it can't load any data at line 198 in the original code
because
> > |m_Height * src_pitch| is 0.
> 
> I disagree with that assessment. If you follow the calls where |src_pitch| is
> used:
> 
> -> CPDF_StreamAcc::LoadAllData()
> --> PDF_DataDecode()
> ---> FPDFAPI_FlateOrLZWDecode()
> ----> CCodec_FlateModule::FlateOrLZWDecode()
> -----> FlateUncompress()
> 
> In FlateUncompress(), the variable that correlates with |src_pitch| is
> |orig_size|, and the first thing the function does is to handle the 0 case and
> use some default values.
> 
> > bpc: bits per component
> > components are used in color space. For example, RGB color space has 3
> > components. 
> > They must be larger than 0 (>0).
> > 
> > Maybe we want to bounce this off Jun again.
> 
> For the test PDF from the bug report, |m_bpc| starts off as 0 in
> CPDF_DIBSource::StartLoadDIBSource(). Then we call:
> 
> -> CPDF_DIBSource::CreateDecoder()
> --> CPDF_DIBSource::LoadJpxBitmap()
> 
> and LoadJpxBitmap() sets |m_bpc| to 8 at the end on success.
> 
> So either we need to make an exception here, or someone should have set
|m_bpc|
> earlier. Otherwise, I don't see how JPX decoding can work. I don't know where
> the bug is exactly, so I just picked one direction.

According to PDF standard, BitsPerComponent(bpc) is required in image dictionary
expect for image masks and images that use the JPXDecode filter). That means
BitsPerComponent(bpc) is optional for JPX images. It's incorrect to check |m_bpc
== 0| here without exceptions. It needs to do some changes here.

https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render...
File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (right):

https://codereview.chromium.org/892553002/diff/1/core/src/fpdfapi/fpdf_render...
core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:567: if (decoder !=
FX_BSTRC("CCITTFaxDecode") &&
On 2015/01/30 06:43:58, Lei Zhang wrote:
> I don't think |m_bpc| matters for these decoders, but I'm not 100% sure.

It's no need to check bpc for only JPX images and image masks. Other image
formats, we still need to check.

Lei Zhang

I created one possible solution in patch set 3, and another in patch set 4. ...

5 years, 10 months ago (2015-02-07 08:39:11 UTC) #9

Tom Sepez

On 2015/02/07 08:39:11, Lei Zhang wrote: Let me give you a LGTM for either one. ...

5 years, 10 months ago (2015-02-08 17:33:04 UTC) #10

Lei Zhang

New patchsets have been uploaded after l-g-t-m from tsepez@chromium.org

5 years, 10 months ago (2015-02-10 02:51:13 UTC) #11

Lei Zhang

On 2015/02/08 17:33:04, Tom Sepez wrote: > On 2015/02/07 08:39:11, Lei Zhang wrote: > Let ...

5 years, 10 months ago (2015-02-10 02:53:03 UTC) #12

jun_fang

https://codereview.chromium.org/892553002/diff/80001/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (right): https://codereview.chromium.org/892553002/diff/80001/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp#newcode334 core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:334: const CFX_ByteString& decoder = m_pStreamAcc->GetImageDecoder(); ValidateDictParam() is used to ...

5 years, 10 months ago (2015-02-11 16:55:24 UTC) #13

Lei Zhang

https://codereview.chromium.org/892553002/diff/80001/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (right): https://codereview.chromium.org/892553002/diff/80001/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp#newcode334 core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:334: const CFX_ByteString& decoder = m_pStreamAcc->GetImageDecoder(); On 2015/02/11 16:55:24, jun_fang ...

5 years, 10 months ago (2015-02-13 02:15:37 UTC) #14

Lei Zhang

https://codereview.chromium.org/892553002/diff/80001/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp File core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp (right): https://codereview.chromium.org/892553002/diff/80001/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp#newcode456 core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:456: filter == FX_BSTRC("CCITTFaxDecode")) { On 2015/02/13 02:15:37, Lei Zhang ...

5 years, 10 months ago (2015-02-13 02:51:07 UTC) #15

Lei Zhang

On 2015/02/13 02:51:07, Lei Zhang wrote: > Oh, nevermind. I understand what you are saying. ...

5 years, 10 months ago (2015-02-13 03:00:23 UTC) #16

Jun Fang

On 2015/02/13 03:00:23, Lei Zhang wrote: > On 2015/02/13 02:51:07, Lei Zhang wrote: > > ...

5 years, 10 months ago (2015-02-13 19:34:35 UTC) #17

Lei Zhang

5 years, 10 months ago (2015-02-13 20:02:46 UTC) #18

Message was sent while issue was closed.

Committed patchset #6 (id:100001) manually as
254360730190cc6d6e3de325ee101948b78c1e32 (presubmit successful).

Issue 892553002: Fix JPX image rendering that regressed due to several security fixes. (Closed)

Description

Patch Set 1 #

Patch Set 2 : rebase #

Patch Set 3 : Avoid checks only for JPX #

Patch Set 4 : Possible better solution #

Patch Set 5 : rebase patch set 4 #

Patch Set 6 : #

Messages