commit 7cf555202756c51ce2b5ae18efdeb6e1bb6a9e41
author ochang <ochang@chromium.org> Fri Apr 15 13:52:00 2016 -0700
committer Commit bot <commit-bot@chromium.org> Fri Apr 15 13:52:00 2016 -0700
tree 8be0c41efc1bce888ee8429e9adf4f13f379ba64
parent 018935c9304bebf13fbad20b124d775ccae87fae

Prevent a potential OOB read in TranslateImageLine.

Fixes a potential mismatch of |m_nComponents| between CPDF_DIBSource and
its CPDF_ColorSpace, from code attempting to recover from a failed decoder
initialisation in CPDF_DIBSource::CreateDecoder.

BUG=chromium:603518
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1892143003

core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp

diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
index 951d383..44ac29f 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp
@@ -570,15 +570,16 @@
                                 bpc, bTransform)) {
         if (m_nComponents != static_cast<uint32_t>(comps)) {
           FX_Free(m_pCompData);
+          m_pCompData = nullptr;
           m_nComponents = static_cast<uint32_t>(comps);
-          if (m_Family == PDFCS_LAB && m_nComponents != 3) {
-            m_pCompData = nullptr;
+          if (m_pColorSpace &&
+              m_pColorSpace->CountComponents() != m_nComponents)
             return 0;
-          }
+          if (m_Family == PDFCS_LAB && m_nComponents != 3)
+            return 0;
           m_pCompData = GetDecodeAndMaskArray(m_bDefaultDecode, m_bColorKey);
-          if (!m_pCompData) {
+          if (!m_pCompData)
             return 0;
-          }
         }
         m_bpc = bpc;
         m_pDecoder.reset(CPDF_ModuleMgr::Get()->GetJpegModule()->CreateDecoder(

core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp

diff --git a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
index 427abb8..5c6a8c5 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_loadimage_embeddertest.cpp
@@ -27,3 +27,13 @@
   FPDFBitmap_Destroy(bitmap);
   UnloadPage(page);
 }
+
+TEST_F(FPDFRenderLoadImageEmbeddertest, Bug_603518) {
+  // Should not crash
+  EXPECT_TRUE(OpenDocument("bug_603518.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  EXPECT_NE(nullptr, page);
+  FPDF_BITMAP bitmap = RenderPage(page);
+  FPDFBitmap_Destroy(bitmap);
+  UnloadPage(page);
+}

testing/resources/bug_603518.pdf

diff --git a/testing/resources/bug_603518.pdf b/testing/resources/bug_603518.pdf
new file mode 100644
index 0000000..1af6005
--- /dev/null
+++ b/testing/resources/bug_603518.pdf
Binary files differ