diff options
| author | weili <weili@chromium.org> | 2016-08-11 19:43:58 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-08-11 19:43:58 -0700 |
| commit | 229d05df5bc5deb3890b26b614113c25d9b6935e (patch) | |
| tree | 1491fa61aab052ac7784ef90c8a7b60368daac27 /core/fxge/dib | |
| parent | 2736276deff3abef9d6b226eb9f585abe1384591 (diff) | |
| download | pdfium-229d05df5bc5deb3890b26b614113c25d9b6935e.tar.xz | |
Fix an integer overflow in CStretchEngine constructor
When the source bitmap's width and height are large,
the multiplication could easily overflow a signed integer.
Change to use 'long long' type for calculation to avoid that.
BUG=chromium:635663
Review-Url: https://codereview.chromium.org/2240723002
Diffstat (limited to 'core/fxge/dib')
| -rw-r--r-- | core/fxge/dib/fx_dib_engine.cpp | 4 | ||||
| -rw-r--r-- | core/fxge/dib/fx_dib_engine_unittest.cpp | 30 |
2 files changed, 32 insertions, 2 deletions
diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp index 520148fc77..88b0d4b271 100644 --- a/core/fxge/dib/fx_dib_engine.cpp +++ b/core/fxge/dib/fx_dib_engine.cpp @@ -306,8 +306,8 @@ CStretchEngine::CStretchEngine(IFX_ScanlineComposer* pDestBitmap, FX_BOOL bInterpol = flags & FXDIB_INTERPOL || flags & FXDIB_BICUBIC_INTERPOL; if (!bInterpol && FXSYS_abs(dest_width) != 0 && - FXSYS_abs(dest_height) < - m_SrcWidth * m_SrcHeight * 8 / FXSYS_abs(dest_width)) { + FXSYS_abs(dest_height) / 8 < static_cast<long long>(m_SrcWidth) * + m_SrcHeight / FXSYS_abs(dest_width)) { flags = FXDIB_INTERPOL; } m_Flags = flags; diff --git a/core/fxge/dib/fx_dib_engine_unittest.cpp b/core/fxge/dib/fx_dib_engine_unittest.cpp new file mode 100644 index 0000000000..d185adf49d --- /dev/null +++ b/core/fxge/dib/fx_dib_engine_unittest.cpp @@ -0,0 +1,30 @@ +// Copyright 2016 PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <memory> + +#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_number.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" +#include "core/fpdfapi/fpdf_render/render_int.h" +#include "core/fxcrt/include/fx_memory.h" +#include "core/fxge/dib/dib_int.h" +#include "core/fxge/include/fx_dib.h" +#include "testing/gtest/include/gtest/gtest.h" + +TEST(CStretchEngine, OverflowInCtor) { + FX_RECT clip_rect; + std::unique_ptr<CPDF_Dictionary, ReleaseDeleter<CPDF_Dictionary>> dict_obj( + new CPDF_Dictionary); + dict_obj->SetAt("Width", new CPDF_Number(71000)); + dict_obj->SetAt("Height", new CPDF_Number(12500)); + std::unique_ptr<CPDF_Stream, ReleaseDeleter<CPDF_Stream>> stream( + new CPDF_Stream(nullptr, 0, dict_obj.release())); + CPDF_DIBSource dib_source; + dib_source.Load(nullptr, stream.get(), nullptr, nullptr, nullptr, nullptr, + false, 0, false); + CStretchEngine engine(nullptr, FXDIB_8bppRgb, 500, 500, clip_rect, + &dib_source, 0); + EXPECT_EQ(FXDIB_INTERPOL, engine.m_Flags); +} |