commit 116c227e40a9eae4ee706d0c6ccb0d9c0c51f411
author Tom Sepez <tsepez@chromium.org> Wed Oct 20 18:53:13 2021 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Oct 20 18:53:13 2021 +0000
tree 7fcb95652d98ffaf48b53c6393da195a519c0757
parent 57fce57db8b26ea18037160e597204a701004d4f

Check ranges array size in CPDF_ICCBasedCS::GetRanges().

Return the default array if it is too small.

Test: CF to verify
Bug: chromium:1257730
Change-Id: I2cc3e8715e0f19f638547461408a391cd92ac0e8
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/86270
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

core/fpdfapi/page/cpdf_colorspace.cpp

diff --git a/core/fpdfapi/page/cpdf_colorspace.cpp b/core/fpdfapi/page/cpdf_colorspace.cpp
index da5549e..133a23a 100644
--- a/core/fpdfapi/page/cpdf_colorspace.cpp
+++ b/core/fpdfapi/page/cpdf_colorspace.cpp
@@ -1100,17 +1100,15 @@
 std::vector<float> CPDF_ICCBasedCS::GetRanges(const CPDF_Dictionary* pDict,
                                               uint32_t nComponents) {
   DCHECK(IsValidIccComponents(nComponents));
+  const CPDF_Array* pRanges = pDict->GetArrayFor("Range");
+  if (pRanges && pRanges->size() >= nComponents * 2)
+    return ReadArrayElementsToVector(pRanges, nComponents * 2);
 
   std::vector<float> ranges;
-  const CPDF_Array* pRanges = pDict->GetArrayFor("Range");
-  if (pRanges) {
-    ranges = ReadArrayElementsToVector(pRanges, nComponents * 2);
-  } else {
-    ranges.reserve(nComponents * 2);
-    for (uint32_t i = 0; i < nComponents; i++) {
-      ranges.push_back(0.0f);
-      ranges.push_back(1.0f);
-    }
+  ranges.reserve(nComponents * 2);
+  for (uint32_t i = 0; i < nComponents; i++) {
+    ranges.push_back(0.0f);
+    ranges.push_back(1.0f);
   }
   return ranges;
 }