Google Git
Sign in
pdfium / pdfium / b9efec82ee1ac3623fe7574591118bf2c5321a36^! / .
commitb9efec82ee1ac3623fe7574591118bf2c5321a36[log] [tgz]
authorLei Zhang <thestig@chromium.org>Mon Nov 14 20:41:45 2022 +0000
committerPdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Nov 14 20:41:45 2022 +0000
tree31c1031910a7b28e8413f9c4ff89b3c72012078c
parentd4d1ae35751d6957cbadc07fb60b5c13b9ac2980 [diff]
Check resolution_levels_to_skip value in CJPX_Decoder::Init().

Set a limit for the largest allowed value for the number of resolution
levels to skip for JPEG2000 decoding. This limit is likely unreachable
in production, but can be easily reached by pdf_jpx_fuzzer.

Along the way, remove a redundant check, rename a constant to kFoo, and
change the constant's type to uint8_t.

Bug: chromium:1381880
Change-Id: I6df311af67250bedd42f07d826837ec199716720
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/101110
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/core/fxcodec/jpx/cjpx_decoder.cpp b/core/fxcodec/jpx/cjpx_decoder.cpp
index 4d735c9..00f1d11 100644
--- a/core/fxcodec/jpx/cjpx_decoder.cpp
+++ b/core/fxcodec/jpx/cjpx_decoder.cpp

@@ -419,10 +419,12 @@
 
 bool CJPX_Decoder::Init(pdfium::span<const uint8_t> src_data,
                         uint8_t resolution_levels_to_skip) {
-  static const unsigned char szJP2Header[] = {
-      0x00, 0x00, 0x00, 0x0c, 0x6a, 0x50, 0x20, 0x20, 0x0d, 0x0a, 0x87, 0x0a};
-  if (src_data.empty() || src_data.size() < sizeof(szJP2Header))
+  static constexpr uint8_t kJP2Header[] = {0x00, 0x00, 0x00, 0x0c, 0x6a, 0x50,
+                                           0x20, 0x20, 0x0d, 0x0a, 0x87, 0x0a};
+  if (src_data.size() < sizeof(kJP2Header) ||
+      resolution_levels_to_skip > kMaxResolutionsToSkip) {
     return false;
+  }
 
   m_Image = nullptr;
   m_SrcData = src_data;
@@ -435,7 +437,7 @@
   m_Parameters.decod_format = 0;
   m_Parameters.cod_format = 3;
   m_Parameters.cp_reduce = resolution_levels_to_skip;
-  if (memcmp(m_SrcData.data(), szJP2Header, sizeof(szJP2Header)) == 0) {
+  if (memcmp(m_SrcData.data(), kJP2Header, sizeof(kJP2Header)) == 0) {
     m_Codec = opj_create_decompress(OPJ_CODEC_JP2);
     m_Parameters.decod_format = 1;
   } else {

diff --git a/core/fxcodec/jpx/cjpx_decoder.h b/core/fxcodec/jpx/cjpx_decoder.h
index 7045cdf..bafad1d 100644
--- a/core/fxcodec/jpx/cjpx_decoder.h
+++ b/core/fxcodec/jpx/cjpx_decoder.h

@@ -7,6 +7,8 @@
 #ifndef CORE_FXCODEC_JPX_CJPX_DECODER_H_
 #define CORE_FXCODEC_JPX_CJPX_DECODER_H_
 
+#include <stdint.h>
+
 #include <memory>
 
 #include "core/fxcrt/unowned_ptr.h"
@@ -24,6 +26,10 @@
 
 class CJPX_Decoder {
  public:
+  // Calculated as log2(2^32 / 1), where 2^32 is the largest image dimension and
+  // 1 is the smallest required size.
+  static constexpr uint8_t kMaxResolutionsToSkip = 32;
+
   enum ColorSpaceOption {
     kNoColorSpace,
     kNormalColorSpace,