Fixup various overflow conditions

There were several overflows detected by the PDF from the linked bug. This Cl fixes up the base causes of each of them. BUG=chromium:635473 Review-Url: https://codereview.chromium.org/2226023002
author: dsinclair <dsinclair@chromium.org> 2016-08-09 06:50:28 -0700
committer: Commit bot <commit-bot@chromium.org> 2016-08-09 06:50:28 -0700
commit: fb362089d952950212ccf159f86a46923f223172 (patch)
tree: 23692bebb1dc91a8b2998663336ec7902f540845 /core/fxge
parent: 5d8e5aa882fe8d37d32b71137f039165581ddb82 (diff)
download: pdfium-fb362089d952950212ccf159f86a46923f223172.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/core/fxge/ge/fx_ge_device.cpp b/core/fxge/ge/fx_ge_device.cpp
index 36d2920b49..7cf11e7a1f 100644
--- a/core/fxge/ge/fx_ge_device.cpp
+++ b/core/fxge/ge/fx_ge_device.cpp
@@ -170,6 +170,13 @@ FX_BOOL CFX_RenderDevice::DrawPathWithBlend(
     if (!(fill_mode & FXFILL_RECT_AA) &&
         pPathData->IsRect(pObject2Device, &rect_f)) {
       FX_RECT rect_i = rect_f.GetOutterRect();
+
+      // Depending on the top/bottom, left/right values of the rect it's
+      // possible to overflow the Width() and Height() calculations. Check that
+      // the rect will have valid dimension before continuing.
+      if (!rect_i.Valid())
+        return FALSE;
+
       int width = (int)FXSYS_ceil(rect_f.right - rect_f.left);
       if (width < 1) {
         width = 1;
author	dsinclair <dsinclair@chromium.org>	2016-08-09 06:50:28 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-08-09 06:50:28 -0700
commit	fb362089d952950212ccf159f86a46923f223172 (patch)
tree	23692bebb1dc91a8b2998663336ec7902f540845 /core/fxge
parent	5d8e5aa882fe8d37d32b71137f039165581ddb82 (diff)
download	pdfium-fb362089d952950212ccf159f86a46923f223172.tar.xz