Check validity of width and height in CCodec_TiffContext::LoadFrameInfo
We are using pdfium::base::checked_cast to get the width and height,
but we may overflow and abort. Therefore, we should instead early
return if the obtained width and height are not valid int32_t's.
BUG=655056
Change-Id: Ic0c6b88a16dc3d547fe82736bb14ed3122cd356a
Reviewed-on: https://pdfium-review.googlesource.com/2160
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index be9c7d4..cf38d71 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -267,8 +267,13 @@
Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MAKE, pAttribute);
Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MODEL, pAttribute);
}
- *width = pdfium::base::checked_cast<int32_t>(tif_width);
- *height = pdfium::base::checked_cast<int32_t>(tif_height);
+ pdfium::base::CheckedNumeric<int32_t> checked_width = tif_width;
+ pdfium::base::CheckedNumeric<int32_t> checked_height = tif_height;
+ if (!checked_width.IsValid() || !checked_height.IsValid())
+ return false;
+
+ *width = checked_width.ValueOrDie();
+ *height = checked_height.ValueOrDie();
*comps = tif_comps;
*bpc = tif_bpc;
if (tif_rps > tif_height) {