summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2018-09-13 23:09:01 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-09-13 23:09:01 +0000
commit7a956edb6b5356ebab6bae0a6c3d8bd279c01019 (patch)
tree8838aefec16747a5eff7b81d5ff7ae1443f57231 /core
parent61f1d62daa127097e4719575bd0ff652abcebad0 (diff)
downloadpdfium-7a956edb6b5356ebab6bae0a6c3d8bd279c01019.tar.xz
Use safe math in MatchFloatRange().
Bug: 882959 Change-Id: I3ce17916da1346158dbf5282be6696879a22567a Reviewed-on: https://pdfium-review.googlesource.com/42355 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcrt/fx_coordinates.cpp24
1 files changed, 16 insertions, 8 deletions
diff --git a/core/fxcrt/fx_coordinates.cpp b/core/fxcrt/fx_coordinates.cpp
index 12bf8b6c38..e17a411bba 100644
--- a/core/fxcrt/fx_coordinates.cpp
+++ b/core/fxcrt/fx_coordinates.cpp
@@ -9,18 +9,26 @@
#include <utility>
#include "core/fxcrt/fx_extension.h"
+#include "core/fxcrt/fx_safe_types.h"
namespace {
void MatchFloatRange(float f1, float f2, int* i1, int* i2) {
- int length = static_cast<int>(ceil(f2 - f1));
- int i1_1 = static_cast<int>(floor(f1));
- int i1_2 = static_cast<int>(ceil(f1));
- float error1 = f1 - i1_1 + fabsf(f2 - i1_1 - length);
- float error2 = i1_2 - f1 + fabsf(f2 - i1_2 - length);
-
- *i1 = error1 > error2 ? i1_2 : i1_1;
- *i2 = *i1 + length;
+ float length = ceilf(f2 - f1);
+ float f1_floor = floorf(f1);
+ float f1_ceil = ceilf(f1);
+ float error1 = f1 - f1_floor + fabsf(f2 - f1_floor - length);
+ float error2 = f1_ceil - f1 + fabsf(f2 - f1_ceil - length);
+ float start = error1 > error2 ? f1_ceil : f1_floor;
+ FX_SAFE_INT32 safe1 = start;
+ FX_SAFE_INT32 safe2 = start + length;
+ if (safe1.IsValid() && safe2.IsValid()) {
+ *i1 = safe1.ValueOrDie();
+ *i2 = safe2.ValueOrDie();
+ } else {
+ *i1 = 0;
+ *i2 = 0;
+ }
}
#if _FX_PLATFORM_ == _FX_PLATFORM_WINDOWS_