Fixup various overflow conditions

There were several overflows detected by the PDF from the linked bug. This
Cl fixes up the base causes of each of them.

BUG=chromium:635473

Review-Url: https://codereview.chromium.org/2226023002

2 files changed, 15 insertions, 0 deletions

diff --git a/core/fxcrt/include/fx_coordinates.h b/core/fxcrt/include/fx_coordinates.h
index eff2a7258a..ce97f6f6f3 100644
--- a/core/fxcrt/include/fx_coordinates.h
+++ b/core/fxcrt/include/fx_coordinates.h
@@ -150,6 +150,14 @@ struct FX_RECT {
   int Height() const { return bottom - top; }
   bool IsEmpty() const { return right <= left || bottom <= top; }
 
+  bool Valid() const {
+    pdfium::base::CheckedNumeric<int> w = right;
+    pdfium::base::CheckedNumeric<int> h = bottom;
+    w -= left;
+    h -= top;
+    return w.IsValid() && h.IsValid();
+  }
+
   void Normalize();
 
   void Intersect(const FX_RECT& src);
diff --git a/core/fxge/ge/fx_ge_device.cpp b/core/fxge/ge/fx_ge_device.cpp
index 36d2920b49..7cf11e7a1f 100644
--- a/core/fxge/ge/fx_ge_device.cpp
+++ b/core/fxge/ge/fx_ge_device.cpp
@@ -170,6 +170,13 @@ FX_BOOL CFX_RenderDevice::DrawPathWithBlend(
     if (!(fill_mode & FXFILL_RECT_AA) &&
         pPathData->IsRect(pObject2Device, &rect_f)) {
       FX_RECT rect_i = rect_f.GetOutterRect();
+
+      // Depending on the top/bottom, left/right values of the rect it's
+      // possible to overflow the Width() and Height() calculations. Check that
+      // the rect will have valid dimension before continuing.
+      if (!rect_i.Valid())
+        return FALSE;
+
       int width = (int)FXSYS_ceil(rect_f.right - rect_f.left);
       if (width < 1) {
         width = 1;