diff options
author | dsinclair <dsinclair@chromium.org> | 2016-09-07 13:53:51 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-07 13:53:51 -0700 |
commit | b1f5545e34375a5947004ee92cc808b3df9d4a5b (patch) | |
tree | a56cc60d4cb86d6c96953cf5084c7e5464abb4c1 /core/fpdfapi/fpdf_render | |
parent | 1df1efa3921841fb5fc7fc15e8112eed4375de9f (diff) | |
download | pdfium-b1f5545e34375a5947004ee92cc808b3df9d4a5b.tar.xz |
Verify pattern start values.
When calculating the starting x and y for a pattern it is possible to overflow
the int value. Use checked math to make sure we don't overflow.
BUG=chromium:637984
Review-Url: https://codereview.chromium.org/2317283002
Diffstat (limited to 'core/fpdfapi/fpdf_render')
-rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp index 090060d2c0..afcaa8dd19 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp @@ -1138,8 +1138,19 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern, FX_FLOAT orig_x = col * pPattern->x_step(); FX_FLOAT orig_y = row * pPattern->y_step(); mtPattern2Device.Transform(orig_x, orig_y); - start_x = FXSYS_round(orig_x + left_offset) - clip_box.left; - start_y = FXSYS_round(orig_y + top_offset) - clip_box.top; + + pdfium::base::CheckedNumeric<int> safeStartX = + FXSYS_round(orig_x + left_offset); + pdfium::base::CheckedNumeric<int> safeStartY = + FXSYS_round(orig_y + top_offset); + + safeStartX -= clip_box.left; + safeStartY -= clip_box.top; + if (!safeStartX.IsValid() || !safeStartY.IsValid()) + return; + + start_x = safeStartX.ValueOrDefault(0); + start_y = safeStartY.ValueOrDefault(0); } if (width == 1 && height == 1) { if (start_x < 0 || start_x >= clip_box.Width() || start_y < 0 || |