diff options
author | thestig <thestig@chromium.org> | 2016-08-15 14:33:21 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-15 14:33:22 -0700 |
commit | 19cdfe4d73370b21709aefd9dce06cf463239fa1 (patch) | |
tree | 4f1c00074c2f5c04fd32a90e125d56d3ebe464ba /core/fxge/ge/cfx_renderdevice.cpp | |
parent | ef523dd36aea991084b8b934df846014a5c09c6f (diff) | |
download | pdfium-19cdfe4d73370b21709aefd9dce06cf463239fa1.tar.xz |
Avoid integer overflows in FXGE_GetGlyphsBBox().
And also CFX_RenderDevice::DrawNormalText().
BUG=637192
Review-Url: https://codereview.chromium.org/2244613002
Diffstat (limited to 'core/fxge/ge/cfx_renderdevice.cpp')
-rw-r--r-- | core/fxge/ge/cfx_renderdevice.cpp | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/core/fxge/ge/cfx_renderdevice.cpp b/core/fxge/ge/cfx_renderdevice.cpp index 53ee039cd3..fcb99f79c2 100644 --- a/core/fxge/ge/cfx_renderdevice.cpp +++ b/core/fxge/ge/cfx_renderdevice.cpp @@ -6,6 +6,7 @@ #include "core/fxge/include/cfx_renderdevice.h" +#include "core/fxcrt/include/fx_safe_types.h" #include "core/fxge/include/cfx_fxgedevice.h" #include "core/fxge/include/cfx_graphstatedata.h" #include "core/fxge/include/cfx_pathdata.h" @@ -997,17 +998,30 @@ FX_BOOL CFX_RenderDevice::DrawNormalText(int nChars, int b = 0; if (anti_alias == FXFT_RENDER_MODE_LCD) ArgbDecode(fill_color, a, r, g, b); + for (const FXTEXT_GLYPHPOS& glyph : glyphs) { if (!glyph.m_pGlyph) continue; + + pdfium::base::CheckedNumeric<int> left = glyph.m_OriginX; + left += glyph.m_pGlyph->m_Left; + left -= pixel_left; + if (!left.IsValid()) + return FALSE; + + pdfium::base::CheckedNumeric<int> top = glyph.m_OriginY; + top -= glyph.m_pGlyph->m_Top; + top -= pixel_top; + if (!top.IsValid()) + return FALSE; + const CFX_DIBitmap* pGlyph = &glyph.m_pGlyph->m_Bitmap; - int left = glyph.m_OriginX + glyph.m_pGlyph->m_Left - pixel_left; - int top = glyph.m_OriginY - glyph.m_pGlyph->m_Top - pixel_top; int ncols = pGlyph->GetWidth(); int nrows = pGlyph->GetHeight(); if (anti_alias == FXFT_RENDER_MODE_NORMAL) { - if (!bitmap.CompositeMask(left, top, ncols, nrows, pGlyph, fill_color, 0, - 0, FXDIB_BLEND_NORMAL, nullptr, FALSE, 0, + if (!bitmap.CompositeMask(left.ValueOrDie(), top.ValueOrDie(), ncols, + nrows, pGlyph, fill_color, 0, 0, + FXDIB_BLEND_NORMAL, nullptr, FALSE, 0, nullptr)) { return FALSE; } @@ -1016,12 +1030,19 @@ FX_BOOL CFX_RenderDevice::DrawNormalText(int nChars, bool bBGRStripe = !!(text_flags & FXTEXT_BGR_STRIPE); ncols /= 3; int x_subpixel = (int)(glyph.m_fOriginX * 3) % 3; - int start_col = std::max(left, 0); - int end_col = std::min(left + ncols, dest_width); + int start_col = std::max(left.ValueOrDie(), 0); + pdfium::base::CheckedNumeric<int> end_col_safe = left; + end_col_safe += ncols; + if (!end_col_safe.IsValid()) + return FALSE; + + int end_col = std::min(end_col_safe.ValueOrDie(), dest_width); if (start_col >= end_col) continue; - DrawNormalTextHelper(&bitmap, pGlyph, nrows, left, top, start_col, end_col, - bNormal, bBGRStripe, x_subpixel, a, r, g, b); + + DrawNormalTextHelper(&bitmap, pGlyph, nrows, left.ValueOrDie(), + top.ValueOrDie(), start_col, end_col, bNormal, + bBGRStripe, x_subpixel, a, r, g, b); } if (bitmap.IsAlphaMask()) SetBitMask(&bitmap, bmp_rect.left, bmp_rect.top, fill_color); |