Merge to M44: Fix Heap Overflow in CJBig2_Image::expand

Integer overflow in CJBig2_Image::expand.
It causes the size of reallocated is not
expected.

BUG=483981
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1131023008

(cherry picked from commit 59f4b44d1fbb259967ea518e0bf5fa76b0cc9767)

Review URL: https://codereview.chromium.org/1237723002 .

1 files changed, 10 insertions, 3 deletions

diff --git a/core/src/fxcodec/jbig2/JBig2_Image.cpp b/core/src/fxcodec/jbig2/JBig2_Image.cpp
index 5da1fc63d0..03929b84c8 100644
--- a/core/src/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Image.cpp
@@ -4,10 +4,12 @@
  
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#include "JBig2_Image.h"
+#include <limits.h>
 #include "../../../include/fxcrt/fx_basic.h"
 #include "../../../include/fxcrt/fx_coordinates.h"
-#include <limits.h>
+#include "../../../src/fxcrt/fx_safe_types.h"
+#include "JBig2_Image.h"
+
 CJBig2_Image::CJBig2_Image(FX_INT32 w, FX_INT32 h)
 {
     m_nWidth	= w;
@@ -768,7 +770,12 @@ void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v)
     if (!m_pData) {
         return;
     }
-    m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, h * m_nStride);
+    FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast<FX_DWORD>(h); 
+    safeMemSize *= pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+    if (!safeMemSize.IsValid()) {
+        return;
+    }
+    m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie());
     if(h > m_nHeight) {
         JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride);
     }