diff options
author | Lei Zhang <thestig@chromium.org> | 2018-07-18 00:56:29 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-18 00:56:29 +0000 |
commit | 89063ecda876e3be7df5935860235eb5f8199ded (patch) | |
tree | cdcad994bbe691e6073c45aef4603f8f5b40be24 /core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp | |
parent | 091c0c77fe0e590ecaea993fb0d9e7fb62c8150b (diff) | |
download | pdfium-89063ecda876e3be7df5935860235eb5f8199ded.tar.xz |
Improve image size validation in CPDF_ScaledRenderBuffer.
In CPDF_ScaledRenderBuffer::Initialize(), use the existing
CFX_DIBitmap::CalculatePitchAndSize() function to figure out the pitch
and size. Unlike the existing code, CalculatePitchAndSize() does a
better job of checking for integer overflows.
BUG=pdfium:1123
Change-Id: Ic8fe7226bc56fed0456486d88e02a7af2928bc94
Reviewed-on: https://pdfium-review.googlesource.com/38010
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp')
-rw-r--r-- | core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp b/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp index 2d86024787..6f6aa7c404 100644 --- a/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp +++ b/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp @@ -12,7 +12,11 @@ #include "core/fxge/dib/cfx_dibitmap.h" #include "third_party/base/ptr_util.h" -#define _FPDFAPI_IMAGESIZE_LIMIT_ (30 * 1024 * 1024) +namespace { + +constexpr size_t kImageSizeLimitBytes = 30 * 1024 * 1024; + +} // namespace CPDF_ScaledRenderBuffer::CPDF_ScaledRenderBuffer() {} @@ -54,14 +58,18 @@ bool CPDF_ScaledRenderBuffer::Initialize(CPDF_RenderContext* pContext, while (1) { FX_RECT bitmap_rect = m_Matrix.TransformRect(CFX_FloatRect(pRect)).GetOuterRect(); - int32_t iWidth = bitmap_rect.Width(); - int32_t iHeight = bitmap_rect.Height(); - int32_t iPitch = (iWidth * bpp + 31) / 32 * 4; - if (iWidth * iHeight < 1) + int32_t width = bitmap_rect.Width(); + int32_t height = bitmap_rect.Height(); + // Set to 0 to make CalculatePitchAndSize() calculate it. + uint32_t pitch = 0; + uint32_t size; + if (!CFX_DIBitmap::CalculatePitchAndSize(width, height, dibFormat, &pitch, + &size)) { return false; + } - if (iPitch * iHeight <= _FPDFAPI_IMAGESIZE_LIMIT_ && - m_pBitmapDevice->Create(iWidth, iHeight, dibFormat, nullptr)) { + if (size <= kImageSizeLimitBytes && + m_pBitmapDevice->Create(width, height, dibFormat, nullptr)) { break; } m_Matrix.Scale(0.5f, 0.5f); |