Avoid div by 0 in CPDF_DIB::GetDecodeAndMaskArray()
Early return if m_bpc is invalid and zeroed.
Bug: pdfium:1823
Change-Id: I0ebe8c454cf15faa766515b716466f3520083fd4
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/93032
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/page/cpdf_dib.cpp b/core/fpdfapi/page/cpdf_dib.cpp
index ecf66e2..9c0798a 100644
--- a/core/fpdfapi/page/cpdf_dib.cpp
+++ b/core/fpdfapi/page/cpdf_dib.cpp
@@ -374,7 +374,9 @@
if (!decoder_array.value().empty())
filter = decoder_array.value().back().first;
- ValidateDictParam(filter);
+ if (!ValidateDictParam(filter))
+ return false;
+
return GetDecodeAndMaskArray(&m_bDefaultDecode, &m_bColorKey);
}
@@ -904,7 +906,7 @@
}
}
-void CPDF_DIB::ValidateDictParam(const ByteString& filter) {
+bool CPDF_DIB::ValidateDictParam(const ByteString& filter) {
m_bpc = m_bpc_orig;
// Per spec, |m_bpc| should always be 8 for RunLengthDecode, but too many
@@ -912,7 +914,7 @@
if (filter == "JPXDecode") {
m_bDoBpcCheck = false;
- return;
+ return true;
}
if (filter == "CCITTFaxDecode" || filter == "JBIG2Decode") {
@@ -922,8 +924,11 @@
m_bpc = 8;
}
- if (!IsAllowedBitsPerComponent(m_bpc))
+ if (!IsAllowedBitsPerComponent(m_bpc)) {
m_bpc = 0;
+ return false;
+ }
+ return true;
}
void CPDF_DIB::TranslateScanline24bpp(
diff --git a/core/fpdfapi/page/cpdf_dib.h b/core/fpdfapi/page/cpdf_dib.h
index 589c217..3655a8c 100644
--- a/core/fpdfapi/page/cpdf_dib.h
+++ b/core/fpdfapi/page/cpdf_dib.h
@@ -95,7 +95,7 @@
bool TranslateScanline24bppDefaultDecode(
pdfium::span<uint8_t> dest_scan,
pdfium::span<const uint8_t> src_scan) const;
- void ValidateDictParam(const ByteString& filter);
+ bool ValidateDictParam(const ByteString& filter);
bool TransMask() const;
void SetMaskProperties();
