diff options
| author | Oliver Chang <ochang@chromium.org> | 2015-11-20 10:01:48 -0800 |
|---|---|---|
| committer | Oliver Chang <ochang@chromium.org> | 2015-11-20 10:01:48 -0800 |
| commit | 0afbad0509578a5fee6fec4394d6b3c55425cf28 (patch) | |
| tree | 2257aa12c0d9103ab9b1d83fb573dace3f5e218a /core/src/fxcodec/codec/fx_codec.cpp | |
| parent | c7e4c4fe17f5c05671183a47541ea17f3dce75b5 (diff) | |
| download | pdfium-0afbad0509578a5fee6fec4394d6b3c55425cf28.tar.xz | |
Merge to XFA: Change |CCodec_ScanlineDecoder::m_Pitch| to FX_DWORD
This matches the type of the corresponding |CFX_DIBSource::m_Pitch|,
where integer overflow is checked for FX_DWORD. This change is
propagated to many other places.
Also, check for integer overflow in |CCodec_RLScanlineDecoder::Create|
during the calculation of |m_Pitch| since it aligns to 4 bytes while
overflow was was previously checked without this alignment.
TBR=tsepez@chromium.org
BUG=555784
Review URL: https://codereview.chromium.org/1460033002 .
(cherry picked from commit e7950df70a2fd658f466751b29483436cb31e829)
Review URL: https://codereview.chromium.org/1461363002 .
Diffstat (limited to 'core/src/fxcodec/codec/fx_codec.cpp')
| -rw-r--r-- | core/src/fxcodec/codec/fx_codec.cpp | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/core/src/fxcodec/codec/fx_codec.cpp b/core/src/fxcodec/codec/fx_codec.cpp index b357f8ac08..1efccf9af5 100644 --- a/core/src/fxcodec/codec/fx_codec.cpp +++ b/core/src/fxcodec/codec/fx_codec.cpp @@ -29,15 +29,14 @@ CCodec_ModuleMgr::CCodec_ModuleMgr() CCodec_ScanlineDecoder::ImageDataCache::ImageDataCache(int width, int height, - int pitch) - : m_Width(width), m_Height(height), m_Pitch(pitch), m_nCachedLines(0) { -} + FX_DWORD pitch) + : m_Width(width), m_Height(height), m_Pitch(pitch), m_nCachedLines(0) {} CCodec_ScanlineDecoder::ImageDataCache::~ImageDataCache() { } bool CCodec_ScanlineDecoder::ImageDataCache::AllocateCache() { - if (m_Pitch <= 0 || m_Height < 0) + if (m_Pitch == 0 || m_Height < 0) return false; FX_SAFE_SIZE_T size = m_Pitch; @@ -51,7 +50,7 @@ bool CCodec_ScanlineDecoder::ImageDataCache::AllocateCache() { void CCodec_ScanlineDecoder::ImageDataCache::AppendLine(const uint8_t* line) { // If the callers adds more lines than there is room, fail. - if (m_Pitch <= 0 || m_nCachedLines >= m_Height) { + if (m_Pitch == 0 || m_nCachedLines >= m_Height) { NOTREACHED(); return; } @@ -62,7 +61,7 @@ void CCodec_ScanlineDecoder::ImageDataCache::AppendLine(const uint8_t* line) { } const uint8_t* CCodec_ScanlineDecoder::ImageDataCache::GetLine(int line) const { - if (m_Pitch <= 0 || line < 0 || line >= m_nCachedLines) + if (m_Pitch == 0 || line < 0 || line >= m_nCachedLines) return nullptr; size_t offset = m_Pitch; @@ -364,8 +363,19 @@ FX_BOOL CCodec_RLScanlineDecoder::Create(const uint8_t* src_buf, m_bpc = bpc; m_bColorTransformed = FALSE; m_DownScale = 1; - m_Pitch = (width * nComps * bpc + 31) / 32 * 4; - m_dwLineBytes = (width * nComps * bpc + 7) / 8; + // Aligning the pitch to 4 bytes requires an integer overflow check. + FX_SAFE_DWORD pitch = width; + pitch *= nComps; + pitch *= bpc; + pitch += 31; + pitch /= 32; + pitch *= 4; + if (!pitch.IsValid()) { + return FALSE; + } + m_Pitch = pitch.ValueOrDie(); + // Overflow should already have been checked before this is called. + m_dwLineBytes = (static_cast<FX_DWORD>(width) * nComps * bpc + 7) / 8; m_pScanline = FX_Alloc(uint8_t, m_Pitch); return CheckDestSize(); } |