commit 6ec142da3f9cccb60a4d983ee7132c41a0798e24
author Henrique Nakashima <hnakashima@chromium.org> Mon Feb 05 22:28:22 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Mon Feb 05 22:28:22 2018 +0000
tree 0a5c82ac9ac0662805c7999d64dd80d363379fee
parent f743552fbdb17f974c9b1675af81210fe0ffcc50

Limit dest buffer to 1GB in FlateOrLZWDecode.

Bug: chromium:802094
Change-Id: I99d2d75cd431afe1cdb966e1431143ab43dd9a73
Reviewed-on: https://pdfium-review.googlesource.com/24730
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>

core/fxcodec/codec/fx_codec_flate.cpp

diff --git a/core/fxcodec/codec/fx_codec_flate.cpp b/core/fxcodec/codec/fx_codec_flate.cpp
index 95902bb..e33a3d4 100644
--- a/core/fxcodec/codec/fx_codec_flate.cpp
+++ b/core/fxcodec/codec/fx_codec_flate.cpp
@@ -7,6 +7,7 @@
 #include "core/fxcodec/codec/codec_int.h"
 
 #include <algorithm>
+#include <limits>
 #include <memory>
 #include <utility>
 #include <vector>
@@ -39,9 +40,12 @@
 
 namespace {
 
+constexpr const static uint32_t kMaxTotalOutSize = 1024 * 1024 * 1024;  // 1 GiB
+
 uint32_t FlateGetPossiblyTruncatedTotalOut(void* context) {
-  return pdfium::base::saturated_cast<uint32_t>(
-      static_cast<z_stream*>(context)->total_out);
+  return std::min(pdfium::base::saturated_cast<uint32_t>(
+                      static_cast<z_stream*>(context)->total_out),
+                  kMaxTotalOutSize);
 }
 
 uint32_t FlateGetPossiblyTruncatedTotalIn(void* context) {