Google Git
Sign in
pdfium / pdfium / 0f39b8e630c9e9c21e54081aaf89a034be6d610c^! / .
commit0f39b8e630c9e9c21e54081aaf89a034be6d610c[log] [tgz]
authorLei Zhang <thestig@chromium.org>Sat Jun 01 00:49:13 2024 +0000
committerPdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>Sat Jun 01 00:49:13 2024 +0000
tree588992d31c16fbc30a1127bff47f5192abc3493b
parentf5aa1a796b0f545882641aa910c82e5b7b724810 [diff]
Validate `CPDF_IndexedCS::max_index_`

Reject index colorspaces where the "hival" is larger than 255.

Change-Id: I4c505cfef70196fe801bdcfeb77bb6030f7bffab
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/119931
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>

diff --git a/core/fpdfapi/page/cpdf_indexedcs.cpp b/core/fpdfapi/page/cpdf_indexedcs.cpp
index c8ba65f..dc9d0e7 100644
--- a/core/fpdfapi/page/cpdf_indexedcs.cpp
+++ b/core/fpdfapi/page/cpdf_indexedcs.cpp

@@ -33,24 +33,28 @@
 uint32_t CPDF_IndexedCS::v_Load(CPDF_Document* pDoc,
                                 const CPDF_Array* pArray,
                                 std::set<const CPDF_Object*>* pVisited) {
-  if (pArray->size() < 4)
+  if (pArray->size() < 4) {
     return 0;
+  }
 
   RetainPtr<const CPDF_Object> pBaseObj = pArray->GetDirectObjectAt(1);
-  if (HasSameArray(pBaseObj.Get()))
+  if (HasSameArray(pBaseObj.Get())) {
     return 0;
+  }
 
   auto* pDocPageData = CPDF_DocPageData::FromDocument(pDoc);
   m_pBaseCS =
       pDocPageData->GetColorSpaceGuarded(pBaseObj.Get(), nullptr, pVisited);
-  if (!m_pBaseCS)
+  if (!m_pBaseCS) {
     return 0;
+  }
 
-  // The base color space cannot be a Pattern or Indexed space, according to the
-  // PDF 1.7 spec, page 263.
+  // The base color space cannot be a Pattern or Indexed space, according to ISO
+  // 32000-1:2008 section 8.6.6.3.
   Family family = m_pBaseCS->GetFamily();
-  if (family == Family::kIndexed || family == Family::kPattern)
+  if (family == Family::kIndexed || family == Family::kPattern) {
     return 0;
+  }
 
   base_component_count_ = m_pBaseCS->ComponentCount();
   DCHECK(base_component_count_);
@@ -62,11 +66,17 @@
                                &component_min_max_[i * 2 + 1]);
     component_min_max_[i * 2 + 1] -= component_min_max_[i * 2];
   }
+
+  // ISO 32000-1:2008 section 8.6.6.3 says the maximum value is 255.
   max_index_ = pArray->GetIntegerAt(2);
+  if (max_index_ < 0 || max_index_ > 255) {
+    return 0;
+  }
 
   RetainPtr<const CPDF_Object> pTableObj = pArray->GetDirectObjectAt(3);
-  if (!pTableObj)
+  if (!pTableObj) {
     return 0;
+  }
 
   if (const CPDF_String* pString = pTableObj->AsString()) {
     lookup_table_ = pString->GetString();