commit 8da2c1a77ca4c1e384c43316352775fe49ca068b
author Lei Zhang <thestig@chromium.org> Thu May 30 15:52:56 2024 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu May 30 15:52:56 2024 +0000
tree b9d69ce1531c0dc94f06511bb1e03a794c364e4a
parent 52de048a439e15f75cb7b865dc4ac417c78ddc73

Fix OOB access inside CBC_PDF417

Fail if the code word length is too large.

Bug: 342458997
Change-Id: Ie9d7081f18705f045402716779e9f313e12bfe30
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/119755
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>

fxbarcode/pdf417/BC_PDF417.cpp

diff --git a/fxbarcode/pdf417/BC_PDF417.cpp b/fxbarcode/pdf417/BC_PDF417.cpp
index 061f466..257268f 100644
--- a/fxbarcode/pdf417/BC_PDF417.cpp
+++ b/fxbarcode/pdf417/BC_PDF417.cpp
@@ -33,7 +33,9 @@
 
 namespace {
 
-using CodewordRow = std::array<const uint16_t, 929>;
+constexpr int kCodewordRowLength = 929;
+
+using CodewordRow = std::array<const uint16_t, kCodewordRowLength>;
 constexpr std::array<const CodewordRow, 3> kCodewordTable = {
     {{0xd5c0, 0xeaf0, 0xf57c, 0xd4e0, 0xea78, 0xf53e, 0xa8c0, 0xd470, 0xa860,
       0x5040, 0xa830, 0x5020, 0xadc0, 0xd6f0, 0xeb7c, 0xace0, 0xd678, 0xeb3e,
@@ -353,6 +355,7 @@
 }
 
 }  // namespace
+
 CBC_PDF417::CBC_PDF417() = default;
 
 CBC_PDF417::~CBC_PDF417() = default;
@@ -383,10 +386,15 @@
   int32_t rows = dimensions[1];
   int32_t pad = getNumberOfPadCodewords(sourceCodeWords,
                                         errorCorrectionCodeWords, cols, rows);
-  if (sourceCodeWords + errorCorrectionCodeWords + 1 > 929)
+  if (sourceCodeWords + errorCorrectionCodeWords + 1 > kCodewordRowLength) {
     return false;
+  }
 
   int32_t n = sourceCodeWords + pad + 1;
+  if (n >= kCodewordRowLength) {
+    return false;
+  }
+
   WideString sb;
   sb += (wchar_t)n;
   sb += high_level.value();