summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2018-07-05 19:14:29 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-07-05 19:14:29 +0000
commite3c4b205572eff5f12900f87d612f14a460e4997 (patch)
treee26110561df5aa631af3db57c563f53cd844d030
parent7007fd56221cb2c19444051ad34afb758c89706b (diff)
downloadpdfium-e3c4b205572eff5f12900f87d612f14a460e4997.tar.xz
Fix integer overflow in CPDF_Type3Cachechromium/3483
Bug: chromium:845800 Change-Id: Ib878dd991e435a76b63b662ef3d9d33c2cc61a19 Reviewed-on: https://pdfium-review.googlesource.com/37191 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
-rw-r--r--core/fpdfapi/render/cpdf_type3cache.cpp13
1 files changed, 8 insertions, 5 deletions
diff --git a/core/fpdfapi/render/cpdf_type3cache.cpp b/core/fpdfapi/render/cpdf_type3cache.cpp
index 7d7ede5700..a2b4538ef4 100644
--- a/core/fpdfapi/render/cpdf_type3cache.cpp
+++ b/core/fpdfapi/render/cpdf_type3cache.cpp
@@ -13,6 +13,7 @@
#include "core/fpdfapi/font/cpdf_type3char.h"
#include "core/fpdfapi/font/cpdf_type3font.h"
#include "core/fpdfapi/render/cpdf_type3glyphs.h"
+#include "core/fxcrt/fx_safe_types.h"
#include "core/fxge/fx_dib.h"
#include "core/fxge/fx_font.h"
#include "third_party/base/ptr_util.h"
@@ -138,11 +139,13 @@ std::unique_ptr<CFX_GlyphBitmap> CPDF_Type3Cache::RenderGlyph(
if (bFlipped)
std::swap(top_y, bottom_y);
std::tie(top_line, bottom_line) = pSize->AdjustBlue(top_y, bottom_y);
- pResBitmap = pBitmap->StretchTo(
- static_cast<int>(image_matrix.a),
- static_cast<int>(bFlipped ? top_line - bottom_line
- : bottom_line - top_line),
- 0, nullptr);
+ FX_SAFE_INT32 safe_height = bFlipped ? top_line : bottom_line;
+ safe_height -= bFlipped ? bottom_line : top_line;
+ if (!safe_height.IsValid())
+ return nullptr;
+
+ pResBitmap = pBitmap->StretchTo(static_cast<int>(image_matrix.a),
+ safe_height.ValueOrDie(), 0, nullptr);
top = top_line;
if (image_matrix.a < 0)
left = FXSYS_round(image_matrix.e + image_matrix.a);