diff options
author | Nicolas Pena <npm@chromium.org> | 2018-07-05 19:14:29 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-05 19:14:29 +0000 |
commit | e3c4b205572eff5f12900f87d612f14a460e4997 (patch) | |
tree | e26110561df5aa631af3db57c563f53cd844d030 | |
parent | 7007fd56221cb2c19444051ad34afb758c89706b (diff) | |
download | pdfium-e3c4b205572eff5f12900f87d612f14a460e4997.tar.xz |
Fix integer overflow in CPDF_Type3Cachechromium/3483
Bug: chromium:845800
Change-Id: Ib878dd991e435a76b63b662ef3d9d33c2cc61a19
Reviewed-on: https://pdfium-review.googlesource.com/37191
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
-rw-r--r-- | core/fpdfapi/render/cpdf_type3cache.cpp | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/core/fpdfapi/render/cpdf_type3cache.cpp b/core/fpdfapi/render/cpdf_type3cache.cpp index 7d7ede5700..a2b4538ef4 100644 --- a/core/fpdfapi/render/cpdf_type3cache.cpp +++ b/core/fpdfapi/render/cpdf_type3cache.cpp @@ -13,6 +13,7 @@ #include "core/fpdfapi/font/cpdf_type3char.h" #include "core/fpdfapi/font/cpdf_type3font.h" #include "core/fpdfapi/render/cpdf_type3glyphs.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxge/fx_dib.h" #include "core/fxge/fx_font.h" #include "third_party/base/ptr_util.h" @@ -138,11 +139,13 @@ std::unique_ptr<CFX_GlyphBitmap> CPDF_Type3Cache::RenderGlyph( if (bFlipped) std::swap(top_y, bottom_y); std::tie(top_line, bottom_line) = pSize->AdjustBlue(top_y, bottom_y); - pResBitmap = pBitmap->StretchTo( - static_cast<int>(image_matrix.a), - static_cast<int>(bFlipped ? top_line - bottom_line - : bottom_line - top_line), - 0, nullptr); + FX_SAFE_INT32 safe_height = bFlipped ? top_line : bottom_line; + safe_height -= bFlipped ? bottom_line : top_line; + if (!safe_height.IsValid()) + return nullptr; + + pResBitmap = pBitmap->StretchTo(static_cast<int>(image_matrix.a), + safe_height.ValueOrDie(), 0, nullptr); top = top_line; if (image_matrix.a < 0) left = FXSYS_round(image_matrix.e + image_matrix.a); |