summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-07-18 00:56:29 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-07-18 00:56:29 +0000
commit89063ecda876e3be7df5935860235eb5f8199ded (patch)
treecdcad994bbe691e6073c45aef4603f8f5b40be24 /core
parent091c0c77fe0e590ecaea993fb0d9e7fb62c8150b (diff)
downloadpdfium-89063ecda876e3be7df5935860235eb5f8199ded.tar.xz
Improve image size validation in CPDF_ScaledRenderBuffer.
In CPDF_ScaledRenderBuffer::Initialize(), use the existing CFX_DIBitmap::CalculatePitchAndSize() function to figure out the pitch and size. Unlike the existing code, CalculatePitchAndSize() does a better job of checking for integer overflows. BUG=pdfium:1123 Change-Id: Ic8fe7226bc56fed0456486d88e02a7af2928bc94 Reviewed-on: https://pdfium-review.googlesource.com/38010 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp22
1 files changed, 15 insertions, 7 deletions
diff --git a/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp b/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp
index 2d86024787..6f6aa7c404 100644
--- a/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp
+++ b/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp
@@ -12,7 +12,11 @@
#include "core/fxge/dib/cfx_dibitmap.h"
#include "third_party/base/ptr_util.h"
-#define _FPDFAPI_IMAGESIZE_LIMIT_ (30 * 1024 * 1024)
+namespace {
+
+constexpr size_t kImageSizeLimitBytes = 30 * 1024 * 1024;
+
+} // namespace
CPDF_ScaledRenderBuffer::CPDF_ScaledRenderBuffer() {}
@@ -54,14 +58,18 @@ bool CPDF_ScaledRenderBuffer::Initialize(CPDF_RenderContext* pContext,
while (1) {
FX_RECT bitmap_rect =
m_Matrix.TransformRect(CFX_FloatRect(pRect)).GetOuterRect();
- int32_t iWidth = bitmap_rect.Width();
- int32_t iHeight = bitmap_rect.Height();
- int32_t iPitch = (iWidth * bpp + 31) / 32 * 4;
- if (iWidth * iHeight < 1)
+ int32_t width = bitmap_rect.Width();
+ int32_t height = bitmap_rect.Height();
+ // Set to 0 to make CalculatePitchAndSize() calculate it.
+ uint32_t pitch = 0;
+ uint32_t size;
+ if (!CFX_DIBitmap::CalculatePitchAndSize(width, height, dibFormat, &pitch,
+ &size)) {
return false;
+ }
- if (iPitch * iHeight <= _FPDFAPI_IMAGESIZE_LIMIT_ &&
- m_pBitmapDevice->Create(iWidth, iHeight, dibFormat, nullptr)) {
+ if (size <= kImageSizeLimitBytes &&
+ m_pBitmapDevice->Create(width, height, dibFormat, nullptr)) {
break;
}
m_Matrix.Scale(0.5f, 0.5f);