summaryrefslogtreecommitdiff
path: root/core/src/fxcodec
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-05-19 14:44:13 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-05-19 14:57:18 -0700
commit6ecf19ced0de2d41720b4067171e751ca38c8ba2 (patch)
treee914297d0d65560ecb71a23d76f7361d39f8fb47 /core/src/fxcodec
parente42655964be98606d8832e816f05efbb34b42b42 (diff)
downloadpdfium-6ecf19ced0de2d41720b4067171e751ca38c8ba2.tar.xz
Merge to XFA: Fix Heap Overflow in CJBig2_Image::expand
Integer overflow in CJBig2_Image::expand. It causes the size of reallocated is not expected. BUG=483981 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1131023008
Diffstat (limited to 'core/src/fxcodec')
-rw-r--r--core/src/fxcodec/jbig2/JBig2_Image.cpp13
1 files changed, 10 insertions, 3 deletions
diff --git a/core/src/fxcodec/jbig2/JBig2_Image.cpp b/core/src/fxcodec/jbig2/JBig2_Image.cpp
index 5da1fc63d0..03929b84c8 100644
--- a/core/src/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Image.cpp
@@ -4,10 +4,12 @@
// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
-#include "JBig2_Image.h"
+#include <limits.h>
#include "../../../include/fxcrt/fx_basic.h"
#include "../../../include/fxcrt/fx_coordinates.h"
-#include <limits.h>
+#include "../../../src/fxcrt/fx_safe_types.h"
+#include "JBig2_Image.h"
+
CJBig2_Image::CJBig2_Image(FX_INT32 w, FX_INT32 h)
{
m_nWidth = w;
@@ -768,7 +770,12 @@ void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v)
if (!m_pData) {
return;
}
- m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, h * m_nStride);
+ FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast<FX_DWORD>(h);
+ safeMemSize *= pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+ if (!safeMemSize.IsValid()) {
+ return;
+ }
+ m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie());
if(h > m_nHeight) {
JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride);
}