summaryrefslogtreecommitdiff
path: root/core/fpdfapi/fpdf_render
diff options
context:
space:
mode:
authordsinclair <dsinclair@chromium.org>2016-09-07 13:53:51 -0700
committerCommit bot <commit-bot@chromium.org>2016-09-07 13:53:51 -0700
commitb1f5545e34375a5947004ee92cc808b3df9d4a5b (patch)
treea56cc60d4cb86d6c96953cf5084c7e5464abb4c1 /core/fpdfapi/fpdf_render
parent1df1efa3921841fb5fc7fc15e8112eed4375de9f (diff)
downloadpdfium-b1f5545e34375a5947004ee92cc808b3df9d4a5b.tar.xz
Verify pattern start values.
When calculating the starting x and y for a pattern it is possible to overflow the int value. Use checked math to make sure we don't overflow. BUG=chromium:637984 Review-Url: https://codereview.chromium.org/2317283002
Diffstat (limited to 'core/fpdfapi/fpdf_render')
-rw-r--r--core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp15
1 files changed, 13 insertions, 2 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp
index 090060d2c0..afcaa8dd19 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp
@@ -1138,8 +1138,19 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern,
FX_FLOAT orig_x = col * pPattern->x_step();
FX_FLOAT orig_y = row * pPattern->y_step();
mtPattern2Device.Transform(orig_x, orig_y);
- start_x = FXSYS_round(orig_x + left_offset) - clip_box.left;
- start_y = FXSYS_round(orig_y + top_offset) - clip_box.top;
+
+ pdfium::base::CheckedNumeric<int> safeStartX =
+ FXSYS_round(orig_x + left_offset);
+ pdfium::base::CheckedNumeric<int> safeStartY =
+ FXSYS_round(orig_y + top_offset);
+
+ safeStartX -= clip_box.left;
+ safeStartY -= clip_box.top;
+ if (!safeStartX.IsValid() || !safeStartY.IsValid())
+ return;
+
+ start_x = safeStartX.ValueOrDefault(0);
+ start_y = safeStartY.ValueOrDefault(0);
}
if (width == 1 && height == 1) {
if (start_x < 0 || start_x >= clip_box.Width() || start_y < 0 ||