Merge to XFA: Change |CCodec_ScanlineDecoder::m_Pitch| to FX_DWORD

This matches the type of the corresponding |CFX_DIBSource::m_Pitch|,
where integer overflow is checked for FX_DWORD. This change is
propagated to many other places.

Also, check for integer overflow in |CCodec_RLScanlineDecoder::Create|
during the calculation of |m_Pitch| since it aligns to 4 bytes while
overflow was was previously checked without this alignment.

TBR=tsepez@chromium.org
BUG=555784

Review URL: https://codereview.chromium.org/1460033002 .

(cherry picked from commit e7950df70a2fd658f466751b29483436cb31e829)

Review URL: https://codereview.chromium.org/1461363002 .

1 files changed, 10 insertions, 0 deletions

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp
index a5a198e7b2..c80770366b 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode_embeddertest.cpp
@@ -105,4 +105,14 @@ TEST_F(FPDFParserDecodeEmbeddertest, Bug_552046) {
   UnloadPage(page);
 }
 
+TEST_F(FPDFParserDecodeEmbeddertest, Bug_555784) {
+  // Tests bad input to the run length decoder that caused a heap overflow.
+  // Should not cause a crash when rendered.
+  EXPECT_TRUE(OpenDocument("bug_555784.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  FPDF_BITMAP bitmap = RenderPage(page);
+  FPDFBitmap_Destroy(bitmap);
+  UnloadPage(page);
+}
+
 #undef TEST_CASE