Limit the size of BMPs.
Place a 65535 pixel limit on image dimensions, like other codecs.
Rename similar constant in faxmodule.cpp to the same naming scheme and
avoid potential issues in jumbo builds.
BUG=chromium:973230
Change-Id: Icfd7b95bdde0e20649068efe0fb575f86e043ea1
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/56013
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
index 6966a78..63aa145 100644
--- a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
+++ b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
@@ -42,6 +42,9 @@
constexpr uint32_t kBmpRle4 = 2L;
constexpr uint32_t kBmpBitfields = 3L;
+// Limit of image dimension. Use the same limit as the JBIG2 codecs.
+constexpr uint32_t kBmpMaxImageDimension = 65535;
+
uint8_t HalfRoundUp(uint8_t value) {
uint16_t value16 = value;
return static_cast<uint8_t>((value16 + 1) / 2);
@@ -185,7 +188,8 @@
}
}
- if (compress_flag_ > kBmpBitfields) {
+ if (width_ > kBmpMaxImageDimension || height_ > kBmpMaxImageDimension ||
+ compress_flag_ > kBmpBitfields) {
Error();
NOTREACHED();
}
diff --git a/core/fxcodec/codec/faxmodule.cpp b/core/fxcodec/codec/faxmodule.cpp
index 12e9a95..89b60ec 100644
--- a/core/fxcodec/codec/faxmodule.cpp
+++ b/core/fxcodec/codec/faxmodule.cpp
@@ -40,7 +40,7 @@
};
// Limit of image dimension. Use the same limit as the JBIG2 codecs.
-constexpr int kMaxImageDimension = 65535;
+constexpr int kFaxMaxImageDimension = 65535;
constexpr int kFaxBpc = 1;
constexpr int kFaxComps = 1;
@@ -592,8 +592,10 @@
return nullptr;
// Reject unreasonable large input.
- if (actual_width > kMaxImageDimension || actual_height > kMaxImageDimension)
+ if (actual_width > kFaxMaxImageDimension ||
+ actual_height > kFaxMaxImageDimension) {
return nullptr;
+ }
return pdfium::MakeUnique<FaxDecoder>(src_span, actual_width, actual_height,
K, EndOfLine, EncodedByteAlign,
