diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2017-10-23 09:13:58 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-10-23 13:25:37 +0000 |
commit | 97dab80731a15a6bd74cdc3caf11f97c3a3be5ed (patch) | |
tree | 52dd7da9f3477cb86bf0c1d08e8ae84a8b528ff7 /core/fpdfapi/render/cpdf_renderstatus.cpp | |
parent | 0e568818249ff83d239b98cbb32dec94358da0c7 (diff) | |
download | pdfium-97dab80731a15a6bd74cdc3caf11f97c3a3be5ed.tar.xz |
Validate pattern sizes before usage
This CL adds some validation into the tiling pattern drawing code.
BUG: chromium:775365
Change-Id: I7bcad7f7f2c83982cd955f92091658b46f6b820b
Reviewed-on: https://pdfium-review.googlesource.com/16190
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fpdfapi/render/cpdf_renderstatus.cpp')
-rw-r--r-- | core/fpdfapi/render/cpdf_renderstatus.cpp | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp index 24ac1357b2..0bf03d27c9 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.cpp +++ b/core/fpdfapi/render/cpdf_renderstatus.cpp @@ -7,6 +7,8 @@ #include "core/fpdfapi/render/cpdf_renderstatus.h" #include <algorithm> +#include <cmath> +#include <limits> #include <memory> #include <utility> #include <vector> @@ -2229,11 +2231,21 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern, (mtPattern2Device.IsScaled() || mtPattern2Device.Is90Rotated()); CFX_FloatRect cell_bbox = mtPattern2Device.TransformRect(pPattern->bbox()); - int width = static_cast<int>(ceil(cell_bbox.Width())); - int height = static_cast<int>(ceil(cell_bbox.Height())); - if (width == 0) + + float ceil_height = std::ceil(cell_bbox.Height()); + float ceil_width = std::ceil(cell_bbox.Width()); + + // Validate the float will fit into the int when the conversion is done. + if (!pdfium::base::IsValueInRangeForNumericType<int>(ceil_height) || + !pdfium::base::IsValueInRangeForNumericType<int>(ceil_width)) { + return; + } + + int width = static_cast<int>(ceil_width); + int height = static_cast<int>(ceil_height); + if (width <= 0) width = 1; - if (height == 0) + if (height <= 0) height = 1; CFX_FloatRect clip_box_p = @@ -2247,6 +2259,10 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern, int max_row = (int)floor((clip_box_p.top - pPattern->bbox().bottom) / pPattern->y_step()); + // Make sure we can fit the needed width * height into an int. + if (height > std::numeric_limits<int>::max() / width) + return; + if (width > clip_box.Width() || height > clip_box.Height() || width * height > clip_box.Width() * clip_box.Height()) { std::unique_ptr<CPDF_GraphicStates> pStates; |