diff options
| author | weili <weili@chromium.org> | 2016-08-11 19:43:58 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-08-11 19:43:58 -0700 |
| commit | 229d05df5bc5deb3890b26b614113c25d9b6935e (patch) | |
| tree | 1491fa61aab052ac7784ef90c8a7b60368daac27 | |
| parent | 2736276deff3abef9d6b226eb9f585abe1384591 (diff) | |
| download | pdfium-229d05df5bc5deb3890b26b614113c25d9b6935e.tar.xz | |
Fix an integer overflow in CStretchEngine constructor
When the source bitmap's width and height are large,
the multiplication could easily overflow a signed integer.
Change to use 'long long' type for calculation to avoid that.
BUG=chromium:635663
Review-Url: https://codereview.chromium.org/2240723002
| -rw-r--r-- | BUILD.gn | 1 | ||||
| -rw-r--r-- | core/fxge/dib/fx_dib_engine.cpp | 4 | ||||
| -rw-r--r-- | core/fxge/dib/fx_dib_engine_unittest.cpp | 30 | ||||
| -rw-r--r-- | pdfium.gyp | 1 |
4 files changed, 34 insertions, 2 deletions
@@ -1572,6 +1572,7 @@ test("pdfium_unittests") { "core/fxcrt/fx_bidi_unittest.cpp", "core/fxcrt/fx_extension_unittest.cpp", "core/fxcrt/fx_system_unittest.cpp", + "core/fxge/dib/fx_dib_engine_unittest.cpp", "fpdfsdk/fpdfdoc_unittest.cpp", "fpdfsdk/fpdfeditimg_unittest.cpp", ] diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp index 520148fc77..88b0d4b271 100644 --- a/core/fxge/dib/fx_dib_engine.cpp +++ b/core/fxge/dib/fx_dib_engine.cpp @@ -306,8 +306,8 @@ CStretchEngine::CStretchEngine(IFX_ScanlineComposer* pDestBitmap, FX_BOOL bInterpol = flags & FXDIB_INTERPOL || flags & FXDIB_BICUBIC_INTERPOL; if (!bInterpol && FXSYS_abs(dest_width) != 0 && - FXSYS_abs(dest_height) < - m_SrcWidth * m_SrcHeight * 8 / FXSYS_abs(dest_width)) { + FXSYS_abs(dest_height) / 8 < static_cast<long long>(m_SrcWidth) * + m_SrcHeight / FXSYS_abs(dest_width)) { flags = FXDIB_INTERPOL; } m_Flags = flags; diff --git a/core/fxge/dib/fx_dib_engine_unittest.cpp b/core/fxge/dib/fx_dib_engine_unittest.cpp new file mode 100644 index 0000000000..d185adf49d --- /dev/null +++ b/core/fxge/dib/fx_dib_engine_unittest.cpp @@ -0,0 +1,30 @@ +// Copyright 2016 PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <memory> + +#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_number.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" +#include "core/fpdfapi/fpdf_render/render_int.h" +#include "core/fxcrt/include/fx_memory.h" +#include "core/fxge/dib/dib_int.h" +#include "core/fxge/include/fx_dib.h" +#include "testing/gtest/include/gtest/gtest.h" + +TEST(CStretchEngine, OverflowInCtor) { + FX_RECT clip_rect; + std::unique_ptr<CPDF_Dictionary, ReleaseDeleter<CPDF_Dictionary>> dict_obj( + new CPDF_Dictionary); + dict_obj->SetAt("Width", new CPDF_Number(71000)); + dict_obj->SetAt("Height", new CPDF_Number(12500)); + std::unique_ptr<CPDF_Stream, ReleaseDeleter<CPDF_Stream>> stream( + new CPDF_Stream(nullptr, 0, dict_obj.release())); + CPDF_DIBSource dib_source; + dib_source.Load(nullptr, stream.get(), nullptr, nullptr, nullptr, nullptr, + false, 0, false); + CStretchEngine engine(nullptr, FXDIB_8bppRgb, 500, 500, clip_rect, + &dib_source, 0); + EXPECT_EQ(FXDIB_INTERPOL, engine.m_Flags); +} diff --git a/pdfium.gyp b/pdfium.gyp index 1cc8758bd9..f04ce42d4f 100644 --- a/pdfium.gyp +++ b/pdfium.gyp @@ -949,6 +949,7 @@ 'core/fxcrt/fx_bidi_unittest.cpp', 'core/fxcrt/fx_extension_unittest.cpp', 'core/fxcrt/fx_system_unittest.cpp', + 'core/fxge/dib/fx_dib_engine_unittest.cpp', 'fpdfsdk/fpdfdoc_unittest.cpp', 'fpdfsdk/fpdfeditimg_unittest.cpp', 'testing/fx_string_testhelpers.h', |