diff options
| author | dsinclair <dsinclair@chromium.org> | 2016-08-09 06:50:28 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-08-09 06:50:28 -0700 |
| commit | fb362089d952950212ccf159f86a46923f223172 (patch) | |
| tree | 23692bebb1dc91a8b2998663336ec7902f540845 | |
| parent | 5d8e5aa882fe8d37d32b71137f039165581ddb82 (diff) | |
| download | pdfium-fb362089d952950212ccf159f86a46923f223172.tar.xz | |
Fixup various overflow conditions
There were several overflows detected by the PDF from the linked bug. This
Cl fixes up the base causes of each of them.
BUG=chromium:635473
Review-Url: https://codereview.chromium.org/2226023002
| -rw-r--r-- | core/fxcrt/include/fx_coordinates.h | 8 | ||||
| -rw-r--r-- | core/fxge/ge/fx_ge_device.cpp | 7 | ||||
| -rw-r--r-- | third_party/agg23/0002-ubsan-error-fixes.patch | 33 | ||||
| -rw-r--r-- | third_party/agg23/README.pdfium | 1 | ||||
| -rw-r--r-- | third_party/agg23/agg_clip_liang_barsky.h | 15 |
5 files changed, 62 insertions, 2 deletions
diff --git a/core/fxcrt/include/fx_coordinates.h b/core/fxcrt/include/fx_coordinates.h index eff2a7258a..ce97f6f6f3 100644 --- a/core/fxcrt/include/fx_coordinates.h +++ b/core/fxcrt/include/fx_coordinates.h @@ -150,6 +150,14 @@ struct FX_RECT { int Height() const { return bottom - top; } bool IsEmpty() const { return right <= left || bottom <= top; } + bool Valid() const { + pdfium::base::CheckedNumeric<int> w = right; + pdfium::base::CheckedNumeric<int> h = bottom; + w -= left; + h -= top; + return w.IsValid() && h.IsValid(); + } + void Normalize(); void Intersect(const FX_RECT& src); diff --git a/core/fxge/ge/fx_ge_device.cpp b/core/fxge/ge/fx_ge_device.cpp index 36d2920b49..7cf11e7a1f 100644 --- a/core/fxge/ge/fx_ge_device.cpp +++ b/core/fxge/ge/fx_ge_device.cpp @@ -170,6 +170,13 @@ FX_BOOL CFX_RenderDevice::DrawPathWithBlend( if (!(fill_mode & FXFILL_RECT_AA) && pPathData->IsRect(pObject2Device, &rect_f)) { FX_RECT rect_i = rect_f.GetOutterRect(); + + // Depending on the top/bottom, left/right values of the rect it's + // possible to overflow the Width() and Height() calculations. Check that + // the rect will have valid dimension before continuing. + if (!rect_i.Valid()) + return FALSE; + int width = (int)FXSYS_ceil(rect_f.right - rect_f.left); if (width < 1) { width = 1; diff --git a/third_party/agg23/0002-ubsan-error-fixes.patch b/third_party/agg23/0002-ubsan-error-fixes.patch new file mode 100644 index 0000000000..00ced0071c --- /dev/null +++ b/third_party/agg23/0002-ubsan-error-fixes.patch @@ -0,0 +1,33 @@ +diff --git a/third_party/agg23/agg_clip_liang_barsky.h b/third_party/agg23/agg_clip_liang_barsky.h +index db6ca97..5b1261f 100644 +--- a/third_party/agg23/agg_clip_liang_barsky.h ++++ b/third_party/agg23/agg_clip_liang_barsky.h +@@ -20,6 +20,7 @@ + #ifndef AGG_CLIP_LIANG_BARSKY_INCLUDED + #define AGG_CLIP_LIANG_BARSKY_INCLUDED + #include "agg_basics.h" ++#include "third_party/base/numerics/safe_math.h" + namespace agg + { + template<class T> +@@ -36,8 +37,18 @@ inline unsigned clip_liang_barsky(T x1, T y1, T x2, T y2, + T* x, T* y) + { + const FX_FLOAT nearzero = 1e-30f; +- FX_FLOAT deltax = (FX_FLOAT)(x2 - x1); +- FX_FLOAT deltay = (FX_FLOAT)(y2 - y1); ++ ++ pdfium::base::CheckedNumeric<FX_FLOAT> width = x2; ++ width -= x1; ++ if (!width.IsValid()) ++ return 0; ++ pdfium::base::CheckedNumeric<FX_FLOAT> height = y2; ++ height -= y1; ++ if (!height.IsValid()) ++ return 0; ++ ++ FX_FLOAT deltax = width.ValueOrDefault(0); ++ FX_FLOAT deltay = height.ValueOrDefault(0); + unsigned np = 0; + if(deltax == 0) { + deltax = (x1 > clip_box.x1) ? -nearzero : nearzero; diff --git a/third_party/agg23/README.pdfium b/third_party/agg23/README.pdfium index 3b73d4d4d3..8e055d2079 100644 --- a/third_party/agg23/README.pdfium +++ b/third_party/agg23/README.pdfium @@ -14,3 +14,4 @@ Various changes to use FX_ library functions. Possibly more? 0001-gcc-warning.patch: Fix a GCC warning about both enumeral and non-enumeral type in conditional. +0002-ubsan-error-fixes.path: Fix UBSan errors for overflows. diff --git a/third_party/agg23/agg_clip_liang_barsky.h b/third_party/agg23/agg_clip_liang_barsky.h index db6ca97505..5b1261f004 100644 --- a/third_party/agg23/agg_clip_liang_barsky.h +++ b/third_party/agg23/agg_clip_liang_barsky.h @@ -20,6 +20,7 @@ #ifndef AGG_CLIP_LIANG_BARSKY_INCLUDED #define AGG_CLIP_LIANG_BARSKY_INCLUDED #include "agg_basics.h" +#include "third_party/base/numerics/safe_math.h" namespace agg { template<class T> @@ -36,8 +37,18 @@ inline unsigned clip_liang_barsky(T x1, T y1, T x2, T y2, T* x, T* y) { const FX_FLOAT nearzero = 1e-30f; - FX_FLOAT deltax = (FX_FLOAT)(x2 - x1); - FX_FLOAT deltay = (FX_FLOAT)(y2 - y1); + + pdfium::base::CheckedNumeric<FX_FLOAT> width = x2; + width -= x1; + if (!width.IsValid()) + return 0; + pdfium::base::CheckedNumeric<FX_FLOAT> height = y2; + height -= y1; + if (!height.IsValid()) + return 0; + + FX_FLOAT deltax = width.ValueOrDefault(0); + FX_FLOAT deltay = height.ValueOrDefault(0); unsigned np = 0; if(deltax == 0) { deltax = (x1 > clip_box.x1) ? -nearzero : nearzero; |