diff options
author | stackexploit <stackexploit@gmail.com> | 2016-09-26 13:54:55 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-26 13:54:56 -0700 |
commit | 5aed0216ad6574944e76a95ef0dbbc910bab4a1a (patch) | |
tree | 9b01025004edc0a10f9c750cc53d69f0d72691c9 /core/fxge | |
parent | 9c33e89a43fd316fb42a7134d34585eb04c60416 (diff) | |
download | pdfium-5aed0216ad6574944e76a95ef0dbbc910bab4a1a.tar.xz |
Strengthen bounds check in CWeightTable::Calc.
The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize),
but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)|
in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr|
in function CWeightTable::GetValueFromPixelWeight() were insufficient.
This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights.
BUG=chromium:619398
R=ochang@chromium.org, thestig@chromium.org
Review-Url: https://codereview.chromium.org/2322903002
Diffstat (limited to 'core/fxge')
-rw-r--r-- | core/fxge/dib/dib_int.h | 1 | ||||
-rw-r--r-- | core/fxge/dib/fx_dib_engine.cpp | 8 |
2 files changed, 7 insertions, 2 deletions
diff --git a/core/fxge/dib/dib_int.h b/core/fxge/dib/dib_int.h index aa4a7927fb..31ccc8d371 100644 --- a/core/fxge/dib/dib_int.h +++ b/core/fxge/dib/dib_int.h @@ -55,6 +55,7 @@ class CWeightTable { int flags); PixelWeight* GetPixelWeight(int pixel) const; int* GetValueFromPixelWeight(PixelWeight* pWeight, int index) const; + size_t GetPixelWeightSize() const; private: int m_DestMin; diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp index 88b0d4b271..7ba031e8aa 100644 --- a/core/fxge/dib/fx_dib_engine.cpp +++ b/core/fxge/dib/fx_dib_engine.cpp @@ -41,6 +41,10 @@ CWeightTable::~CWeightTable() { FX_Free(m_pWeightTables); } +size_t CWeightTable::GetPixelWeightSize() const { + return m_dwWeightTablesSize / sizeof(int); +} + bool CWeightTable::Calc(int dest_len, int dest_min, int dest_max, @@ -235,7 +239,7 @@ bool CWeightTable::Calc(int dest_len, break; } size_t idx = j - start_i; - if (idx >= m_dwWeightTablesSize) + if (idx >= GetPixelWeightSize()) return false; pixel_weights.m_Weights[idx] = FXSYS_round((FX_FLOAT)(weight * 65536)); } @@ -255,7 +259,7 @@ int* CWeightTable::GetValueFromPixelWeight(PixelWeight* pWeight, return nullptr; size_t idx = index - pWeight->m_SrcStart; - return idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr; + return idx < GetPixelWeightSize() ? &pWeight->m_Weights[idx] : nullptr; } CStretchEngine::CStretchEngine(IFX_ScanlineComposer* pDestBitmap, |