summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-01-18 19:07:58 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-01-18 19:07:58 +0000
commit4aadb708642003404e666026bb6d390b5989e2b4 (patch)
treea9efa4b7bb02e143804ff0c8c502f1c9146324fc /core
parent28cb9a764765ed3e3fc981ff6f4e9e0519033954 (diff)
downloadpdfium-4aadb708642003404e666026bb6d390b5989e2b4.tar.xz
Avoid integer overflows in CJBig2_Image::composeTo_opt2().
BUG=chromium:802983 Change-Id: I866ece9c370bf05571b76b50ad23598f5038332b Reviewed-on: https://pdfium-review.googlesource.com/23151 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/jbig2/JBig2_Image.cpp10
1 files changed, 7 insertions, 3 deletions
diff --git a/core/fxcodec/jbig2/JBig2_Image.cpp b/core/fxcodec/jbig2/JBig2_Image.cpp
index 13323bac30..b0d75d4d96 100644
--- a/core/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/fxcodec/jbig2/JBig2_Image.cpp
@@ -259,14 +259,18 @@ bool CJBig2_Image::composeTo_opt2(CJBig2_Image* pDst,
int32_t xs0 = x < 0 ? -x : 0;
int32_t xs1;
- if (x + m_nWidth > pDst->m_nWidth)
- xs1 = pDst->m_nWidth - x;
+ FX_SAFE_INT32 iChecked = pDst->m_nWidth;
+ iChecked -= x;
+ if (iChecked.IsValid() && m_nWidth > iChecked.ValueOrDie())
+ xs1 = iChecked.ValueOrDie();
else
xs1 = m_nWidth;
int32_t ys0 = y < 0 ? -y : 0;
int32_t ys1;
- if (y + m_nHeight > pDst->m_nHeight)
+ iChecked = pDst->m_nHeight;
+ iChecked -= y;
+ if (iChecked.IsValid() && m_nHeight > iChecked.ValueOrDie())
ys1 = pDst->m_nHeight - y;
else
ys1 = m_nHeight;