summaryrefslogtreecommitdiff
path: root/core/fpdfapi/render/cpdf_renderstatus.cpp
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2017-10-23 09:13:58 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-10-23 13:25:37 +0000
commit97dab80731a15a6bd74cdc3caf11f97c3a3be5ed (patch)
tree52dd7da9f3477cb86bf0c1d08e8ae84a8b528ff7 /core/fpdfapi/render/cpdf_renderstatus.cpp
parent0e568818249ff83d239b98cbb32dec94358da0c7 (diff)
downloadpdfium-97dab80731a15a6bd74cdc3caf11f97c3a3be5ed.tar.xz
Validate pattern sizes before usage
This CL adds some validation into the tiling pattern drawing code. BUG: chromium:775365 Change-Id: I7bcad7f7f2c83982cd955f92091658b46f6b820b Reviewed-on: https://pdfium-review.googlesource.com/16190 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fpdfapi/render/cpdf_renderstatus.cpp')
-rw-r--r--core/fpdfapi/render/cpdf_renderstatus.cpp24
1 files changed, 20 insertions, 4 deletions
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index 24ac1357b2..0bf03d27c9 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -7,6 +7,8 @@
#include "core/fpdfapi/render/cpdf_renderstatus.h"
#include <algorithm>
+#include <cmath>
+#include <limits>
#include <memory>
#include <utility>
#include <vector>
@@ -2229,11 +2231,21 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern,
(mtPattern2Device.IsScaled() || mtPattern2Device.Is90Rotated());
CFX_FloatRect cell_bbox = mtPattern2Device.TransformRect(pPattern->bbox());
- int width = static_cast<int>(ceil(cell_bbox.Width()));
- int height = static_cast<int>(ceil(cell_bbox.Height()));
- if (width == 0)
+
+ float ceil_height = std::ceil(cell_bbox.Height());
+ float ceil_width = std::ceil(cell_bbox.Width());
+
+ // Validate the float will fit into the int when the conversion is done.
+ if (!pdfium::base::IsValueInRangeForNumericType<int>(ceil_height) ||
+ !pdfium::base::IsValueInRangeForNumericType<int>(ceil_width)) {
+ return;
+ }
+
+ int width = static_cast<int>(ceil_width);
+ int height = static_cast<int>(ceil_height);
+ if (width <= 0)
width = 1;
- if (height == 0)
+ if (height <= 0)
height = 1;
CFX_FloatRect clip_box_p =
@@ -2247,6 +2259,10 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern,
int max_row = (int)floor((clip_box_p.top - pPattern->bbox().bottom) /
pPattern->y_step());
+ // Make sure we can fit the needed width * height into an int.
+ if (height > std::numeric_limits<int>::max() / width)
+ return;
+
if (width > clip_box.Width() || height > clip_box.Height() ||
width * height > clip_box.Width() * clip_box.Height()) {
std::unique_ptr<CPDF_GraphicStates> pStates;