Add safe FX_Alloc2D() macro

This avoids unchecked multiplications when computing a size argument
to malloc(). Such an overflow is very scary, and can result in
exploitable bugs.

Along the way, kill off some return checks, since we know this can't
return NULL.

R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1143663004

2 files changed, 8 insertions, 4 deletions

diff --git a/core/src/fxcrt/fx_basic_array.cpp b/core/src/fxcrt/fx_basic_array.cpp
index 9bdc607bfe..5a2a2e54a1 100644
--- a/core/src/fxcrt/fx_basic_array.cpp
+++ b/core/src/fxcrt/fx_basic_array.cpp
@@ -189,10 +189,7 @@ void* CFX_BaseSegmentedArray::Add()
     if (m_DataSize % m_SegmentSize) {
         return GetAt(m_DataSize ++);
     }
-    void* pSegment = FX_Alloc(FX_BYTE, m_UnitSize * m_SegmentSize);
-    if (!pSegment) {
-        return NULL;
-    }
+    void* pSegment = FX_Alloc2D(FX_BYTE, m_UnitSize, m_SegmentSize);
     if (m_pIndex == NULL) {
         m_pIndex = pSegment;
         m_DataSize ++;
diff --git a/core/src/fxcrt/fx_basic_memmgr_unittest.cpp b/core/src/fxcrt/fx_basic_memmgr_unittest.cpp
index 565021d29e..c70f3b197d 100644
--- a/core/src/fxcrt/fx_basic_memmgr_unittest.cpp
+++ b/core/src/fxcrt/fx_basic_memmgr_unittest.cpp
@@ -12,6 +12,8 @@ namespace {
 const size_t kMaxByteAlloc = std::numeric_limits<size_t>::max();
 const size_t kMaxIntAlloc = kMaxByteAlloc / sizeof(int);
 const size_t kOverflowIntAlloc = kMaxIntAlloc + 100;
+const size_t kWidth = 640;
+const size_t kOverflowIntAlloc2D = kMaxIntAlloc / kWidth + 10;
 
 }  // namespace
 
@@ -35,6 +37,11 @@ TEST(fxcrt, FX_AllocOverflow) {
     FX_Free(ptr);
 }
 
+TEST(fxcrt, FX_AllocOverflow2D) {
+    EXPECT_DEATH_IF_SUPPORTED(
+        FX_Alloc2D(int, kWidth, kOverflowIntAlloc2D), "");
+}
+
 TEST(fxcrt, DISABLED_FX_TryAllocOOM) {
     EXPECT_FALSE(FX_TryAlloc(int, kMaxIntAlloc));