core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp - Issue 892553002: Fix JPX image rendering that regressed due to several security fixes.

Side by Side Diff: core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp

Issue 892553002: Fix JPX image rendering that regressed due to several security fixes. (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../../include/fxge/fx_ge.h"	7 #include "../../../include/fxge/fx_ge.h"

8 #include "../../../include/fxcodec/fx_codec.h"	8 #include "../../../include/fxcodec/fx_codec.h"

9 #include "../../../include/fpdfapi/fpdf_module.h"	9 #include "../../../include/fpdfapi/fpdf_module.h"

10 #include "../../../include/fpdfapi/fpdf_render.h"	10 #include "../../../include/fpdfapi/fpdf_render.h"

(...skipping 296 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
307 m_Width = m_pDict->GetInteger(FX_BSTRC("Width"));	307 m_Width = m_pDict->GetInteger(FX_BSTRC("Width"));

308 m_Height = m_pDict->GetInteger(FX_BSTRC("Height"));	308 m_Height = m_pDict->GetInteger(FX_BSTRC("Height"));

309 if (m_Width <= 0 \|\| m_Height <= 0 \|\| m_Width > 0x01ffff \|\| m_Height > 0x01ff ff) {	309 if (m_Width <= 0 \|\| m_Height <= 0 \|\| m_Width > 0x01ffff \|\| m_Height > 0x01ff ff) {

310 return 0;	310 return 0;

311 }	311 }

312 m_GroupFamily = GroupFamily;	312 m_GroupFamily = GroupFamily;

313 m_bLoadMask = bLoadMask;	313 m_bLoadMask = bLoadMask;

314 if (!LoadColorInfo(m_pStream->GetObjNum() != 0 ? NULL : pFormResources, pPag eResources)) {	314 if (!LoadColorInfo(m_pStream->GetObjNum() != 0 ? NULL : pFormResources, pPag eResources)) {

315 return 0;	315 return 0;

316 }	316 }

317 if (m_bpc == 0 \|\| m_nComponents == 0) {
Lei Zhang 2015/01/30 06:43:58 If you look in the CL that introduced this: https If you look in the CL that introduced this: https://codereview.chromium.org/419693003/diff/40001/core/src/fpdfapi/fpdf_re... You can see the previous code tolerated the case when these variables are 0. Perhaps I should remove this check in CPDF_DIBSource::Load() above as well? Tom Sepez 2015/01/30 17:25:29 From the original review, I asked the question and From the original review, I asked the question and got the answer: Show quoted text > We continue execution here in the old code in this case. Why do we want to > short-circuit the calls below? Is this the comparison from line 221 of the old > file moved up here? You can find \|FX_DWORD src_pitch = m_bpc;\| at line 178 of original code. if \|m_bpc\| is 0, it can't load any data at line 198 in the original code because \|m_Height * src_pitch\| is 0. bpc: bits per component components are used in color space. For example, RGB color space has 3 components. They must be larger than 0 (>0). Maybe we want to bounce this off Jun again. Lei Zhang 2015/01/30 23:00:07 I disagree with that assessment. If you follow the Show quoted text On 2015/01/30 17:25:29, Tom Sepez wrote: > From the original review, I asked the question and got the answer: > > > We continue execution here in the old code in this case. Why do we want to > > short-circuit the calls below? Is this the comparison from line 221 of the old > > file moved up here? > > You can find \|FX_DWORD src_pitch = m_bpc;\| at line 178 of original code. if > \|m_bpc\| is 0, it can't load any data at line 198 in the original code because > \|m_Height * src_pitch\| is 0. I disagree with that assessment. If you follow the calls where \|src_pitch\| is used: -> CPDF_StreamAcc::LoadAllData() --> PDF_DataDecode() ---> FPDFAPI_FlateOrLZWDecode() ----> CCodec_FlateModule::FlateOrLZWDecode() -----> FlateUncompress() In FlateUncompress(), the variable that correlates with \|src_pitch\| is \|orig_size\|, and the first thing the function does is to handle the 0 case and use some default values. Show quoted text > bpc: bits per component > components are used in color space. For example, RGB color space has 3 > components. > They must be larger than 0 (>0). > > Maybe we want to bounce this off Jun again. For the test PDF from the bug report, \|m_bpc\| starts off as 0 in CPDF_DIBSource::StartLoadDIBSource(). Then we call: -> CPDF_DIBSource::CreateDecoder() --> CPDF_DIBSource::LoadJpxBitmap() and LoadJpxBitmap() sets \|m_bpc\| to 8 at the end on success. So either we need to make an exception here, or someone should have set \|m_bpc\| earlier. Otherwise, I don't see how JPX decoding can work. I don't know where the bug is exactly, so I just picked one direction. jun_fang 2015/01/31 04:29:22 According to PDF standard, BitsPerComponent(bpc) i Show quoted text On 2015/01/30 23:00:07, Lei Zhang wrote: > On 2015/01/30 17:25:29, Tom Sepez wrote: > > From the original review, I asked the question and got the answer: > > > > > We continue execution here in the old code in this case. Why do we want to > > > short-circuit the calls below? Is this the comparison from line 221 of the > old > > > file moved up here? > > > > You can find \|FX_DWORD src_pitch = m_bpc;\| at line 178 of original code. if > > \|m_bpc\| is 0, it can't load any data at line 198 in the original code because > > \|m_Height * src_pitch\| is 0. > > I disagree with that assessment. If you follow the calls where \|src_pitch\| is > used: > > -> CPDF_StreamAcc::LoadAllData() > --> PDF_DataDecode() > ---> FPDFAPI_FlateOrLZWDecode() > ----> CCodec_FlateModule::FlateOrLZWDecode() > -----> FlateUncompress() > > In FlateUncompress(), the variable that correlates with \|src_pitch\| is > \|orig_size\|, and the first thing the function does is to handle the 0 case and > use some default values. > > > bpc: bits per component > > components are used in color space. For example, RGB color space has 3 > > components. > > They must be larger than 0 (>0). > > > > Maybe we want to bounce this off Jun again. > > For the test PDF from the bug report, \|m_bpc\| starts off as 0 in > CPDF_DIBSource::StartLoadDIBSource(). Then we call: > > -> CPDF_DIBSource::CreateDecoder() > --> CPDF_DIBSource::LoadJpxBitmap() > > and LoadJpxBitmap() sets \|m_bpc\| to 8 at the end on success. > > So either we need to make an exception here, or someone should have set \|m_bpc\| > earlier. Otherwise, I don't see how JPX decoding can work. I don't know where > the bug is exactly, so I just picked one direction. According to PDF standard, BitsPerComponent(bpc) is required in image dictionary expect for image masks and images that use the JPXDecode filter). That means BitsPerComponent(bpc) is optional for JPX images. It's incorrect to check \|m_bpc == 0\| here without exceptions. It needs to do some changes here.
318 return 0;

319 }

320 FX_SAFE_DWORD src_pitch = m_bpc;	317 FX_SAFE_DWORD src_pitch = m_bpc;

321 src_pitch *= m_nComponents;	318 src_pitch *= m_nComponents;

322 src_pitch *= m_Width;	319 src_pitch *= m_Width;

323 src_pitch += 7;	320 src_pitch += 7;

324 src_pitch /= 8;	321 src_pitch /= 8;

325 src_pitch *= m_Height;	322 src_pitch *= m_Height;

326 if (!src_pitch.IsValid()) {	323 if (!src_pitch.IsValid()) {

327 return 0;	324 return 0;

328 }	325 }

329 m_pStreamAcc = FX_NEW CPDF_StreamAcc;	326 m_pStreamAcc = FX_NEW CPDF_StreamAcc;

(...skipping 230 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
560 ICodec_ScanlineDecoder* FPDFAPI_CreateFaxDecoder(FX_LPCBYTE src_buf, FX_DWORD sr c_size, int width, int height,	557 ICodec_ScanlineDecoder* FPDFAPI_CreateFaxDecoder(FX_LPCBYTE src_buf, FX_DWORD sr c_size, int width, int height,

561 const CPDF_Dictionary* pParams);	558 const CPDF_Dictionary* pParams);

562 ICodec_ScanlineDecoder* FPDFAPI_CreateFlateDecoder(FX_LPCBYTE src_buf, FX_DWORD src_size, int width, int height,	559 ICodec_ScanlineDecoder* FPDFAPI_CreateFlateDecoder(FX_LPCBYTE src_buf, FX_DWORD src_size, int width, int height,

563 int nComps, int bpc, const CPDF_Dictionary* pParams);	560 int nComps, int bpc, const CPDF_Dictionary* pParams);

564 int CPDF_DIBSource::CreateDecoder()	561 int CPDF_DIBSource::CreateDecoder()

565 {	562 {

566 const CFX_ByteString& decoder = m_pStreamAcc->GetImageDecoder();	563 const CFX_ByteString& decoder = m_pStreamAcc->GetImageDecoder();

567 if (decoder.IsEmpty()) {	564 if (decoder.IsEmpty()) {

568 return 1;	565 return 1;

569 }	566 }

570 if (m_bpc == 0) {	567 if (decoder != FX_BSTRC("CCITTFaxDecode") &&
	Lei Zhang 2015/01/30 06:43:58 I don't think \|m_bpc\| matters for these decoders, I don't think \|m_bpc\| matters for these decoders, but I'm not 100% sure. jun_fang 2015/01/31 04:29:22 It's no need to check bpc for only JPX images and Show quoted text On 2015/01/30 06:43:58, Lei Zhang wrote: > I don't think \|m_bpc\| matters for these decoders, but I'm not 100% sure. It's no need to check bpc for only JPX images and image masks. Other image formats, we still need to check.
571 return 0;	568 decoder != FX_BSTRC("JPXDecode") &&

	569 decoder != FX_BSTRC("JBIG2Decode")) {

	570 if (m_bpc == 0) {

	571 return 0;

	572 }

572 }	573 }

573 FX_LPCBYTE src_data = m_pStreamAcc->GetData();	574 FX_LPCBYTE src_data = m_pStreamAcc->GetData();

574 FX_DWORD src_size = m_pStreamAcc->GetSize();	575 FX_DWORD src_size = m_pStreamAcc->GetSize();

575 const CPDF_Dictionary* pParams = m_pStreamAcc->GetImageParam();	576 const CPDF_Dictionary* pParams = m_pStreamAcc->GetImageParam();

576 if (decoder == FX_BSTRC("CCITTFaxDecode")) {	577 if (decoder == FX_BSTRC("CCITTFaxDecode")) {

577 m_pDecoder = FPDFAPI_CreateFaxDecoder(src_data, src_size, m_Width, m_Hei ght, pParams);	578 m_pDecoder = FPDFAPI_CreateFaxDecoder(src_data, src_size, m_Width, m_Hei ght, pParams);

578 } else if (decoder == FX_BSTRC("DCTDecode")) {	579 } else if (decoder == FX_BSTRC("DCTDecode")) {

579 m_pDecoder = CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder(src_d ata, src_size, m_Width, m_Height,	580 m_pDecoder = CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder(src_d ata, src_size, m_Width, m_Height,

580 m_nComponents, pParams ? pParams->GetInteger(FX_BSTR("Color Transform"), 1) : 1);	581 m_nComponents, pParams ? pParams->GetInteger(FX_BSTR("Color Transform"), 1) : 1);

581 if (NULL == m_pDecoder) {	582 if (!m_pDecoder) {

582 FX_BOOL bTransform = FALSE;	583 FX_BOOL bTransform = FALSE;

583 int comps, bpc;	584 int comps, bpc;

584 ICodec_JpegModule* pJpegModule = CPDF_ModuleMgr::Get()->GetJpegModul e();	585 ICodec_JpegModule* pJpegModule = CPDF_ModuleMgr::Get()->GetJpegModul e();

585 if (pJpegModule->LoadInfo(src_data, src_size, m_Width, m_Height, com ps, bpc, bTransform)) {	586 if (pJpegModule->LoadInfo(src_data, src_size, m_Width, m_Height, com ps, bpc, bTransform)) {

586 if (m_nComponents != comps) {	587 if (m_nComponents != comps) {

587 FX_Free(m_pCompData);	588 FX_Free(m_pCompData);

588 m_nComponents = comps;	589 m_nComponents = comps;

589 if (m_Family == PDFCS_LAB && m_nComponents != 3) {	590 if (m_Family == PDFCS_LAB && m_nComponents != 3) {

590 m_pCompData = NULL;	591 m_pCompData = NULL;

591 return 0;	592 return 0;

(...skipping 18 matching lines...) Expand all Loading...
610 if (!m_pCachedBitmap->Create(m_Width, m_Height, m_bImageMask ? FXDIB_1bp pMask : FXDIB_1bppRgb)) {	611 if (!m_pCachedBitmap->Create(m_Width, m_Height, m_bImageMask ? FXDIB_1bp pMask : FXDIB_1bppRgb)) {

611 delete m_pCachedBitmap;	612 delete m_pCachedBitmap;

612 m_pCachedBitmap = NULL;	613 m_pCachedBitmap = NULL;

613 return 0;	614 return 0;

614 }	615 }

615 m_Status = 1;	616 m_Status = 1;

616 return 2;	617 return 2;

617 } else if (decoder == FX_BSTRC("RunLengthDecode")) {	618 } else if (decoder == FX_BSTRC("RunLengthDecode")) {

618 m_pDecoder = CPDF_ModuleMgr::Get()->GetCodecModule()->GetBasicModule()-> CreateRunLengthDecoder(src_data, src_size, m_Width, m_Height, m_nComponents, m_b pc);	619 m_pDecoder = CPDF_ModuleMgr::Get()->GetCodecModule()->GetBasicModule()-> CreateRunLengthDecoder(src_data, src_size, m_Width, m_Height, m_nComponents, m_b pc);

619 }	620 }

620 if (m_pDecoder) {	621 if (!m_pDecoder)
	Lei Zhang 2015/01/30 06:43:58 This is just to put all the "return 0" cases befor This is just to put all the "return 0" cases before the "return 1" case for consistency.
621 FX_SAFE_DWORD requested_pitch = m_bpc;	622 return 0;

622 requested_pitch *= m_nComponents;	623

623 requested_pitch *= m_Width;	624 FX_SAFE_DWORD requested_pitch = m_bpc;

624 requested_pitch += 7;	625 requested_pitch *= m_nComponents;

625 requested_pitch /= 8;	626 requested_pitch *= m_Width;

626 if (!requested_pitch.IsValid()) {	627 requested_pitch += 7;

627 return 0;	628 requested_pitch /= 8;

628 }	629 if (!requested_pitch.IsValid()) {

629 FX_SAFE_DWORD provided_pitch = m_pDecoder->GetBPC();	630 return 0;

630 provided_pitch *= m_pDecoder->CountComps();

631 provided_pitch *= m_pDecoder->GetWidth();

632 provided_pitch += 7;

633 provided_pitch /= 8;

634 if (!provided_pitch.IsValid()) {

635 return 0;

636 }

637 if (provided_pitch.ValueOrDie() < requested_pitch.ValueOrDie()) {

638 return 0;

639 }

640 return 1;

641 }	631 }

642 return 0;	632 FX_SAFE_DWORD provided_pitch = m_pDecoder->GetBPC();

	633 provided_pitch *= m_pDecoder->CountComps();

	634 provided_pitch *= m_pDecoder->GetWidth();

	635 provided_pitch += 7;

	636 provided_pitch /= 8;

	637 if (!provided_pitch.IsValid()) {

	638 return 0;

	639 }

	640 if (provided_pitch.ValueOrDie() < requested_pitch.ValueOrDie()) {

	641 return 0;

	642 }

	643 return 1;

643 }	644 }

644 void CPDF_DIBSource::LoadJpxBitmap()	645 void CPDF_DIBSource::LoadJpxBitmap()

645 {	646 {

646 ICodec_JpxModule* pJpxModule = CPDF_ModuleMgr::Get()->GetJpxModule();	647 ICodec_JpxModule* pJpxModule = CPDF_ModuleMgr::Get()->GetJpxModule();

647 if (pJpxModule == NULL) {	648 if (pJpxModule == NULL) {

648 return;	649 return;

649 }	650 }

650 FX_LPVOID ctx = pJpxModule->CreateDecoder(m_pStreamAcc->GetData(), m_pStream Acc->GetSize(), m_pColorSpace != NULL);	651 FX_LPVOID ctx = pJpxModule->CreateDecoder(m_pStreamAcc->GetData(), m_pStream Acc->GetSize(), m_pColorSpace != NULL);

651 if (ctx == NULL) {	652 if (ctx == NULL) {

652 return;	653 return;

(...skipping 914 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1567 if (!m_bCached) {	1568 if (!m_bCached) {

1568 if (m_pBitmap) {	1569 if (m_pBitmap) {

1569 delete m_pBitmap;	1570 delete m_pBitmap;

1570 m_pBitmap = NULL;	1571 m_pBitmap = NULL;

1571 }	1572 }

1572 if (m_pMask) {	1573 if (m_pMask) {

1573 delete m_pMask;	1574 delete m_pMask;

1574 }	1575 }

1575 }	1576 }

1576 }	1577 }

OLD	NEW

« no previous file with comments | « no previous file | core/src/fpdfapi/fpdf_render/render_int.h » ('j') | core/src/fpdfapi/fpdf_render/render_int.h » ('J')