diff options
author | Bo Xu <bo_xu@foxitsoftware.com> | 2014-08-18 11:33:03 -0700 |
---|---|---|
committer | Bo Xu <bo_xu@foxitsoftware.com> | 2014-08-18 11:33:03 -0700 |
commit | a94019dc7299133ef3dbb075e05e52ac047b67b3 (patch) | |
tree | 81650be29c86d829003a79b6f73438c307724bfb /fpdfsdk/src/pdfwindow | |
parent | 91177a4d73be70344caab2a62f6610672165207f (diff) | |
download | pdfium-a94019dc7299133ef3dbb075e05e52ac047b67b3.tar.xz |
Check path point count overflow in DrawThisAppearance
BUG=387969
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/461343003
Diffstat (limited to 'fpdfsdk/src/pdfwindow')
-rw-r--r-- | fpdfsdk/src/pdfwindow/PWL_Edit.cpp | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp index df59c2ccc8..dfdbf64f0e 100644 --- a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp +++ b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp @@ -411,8 +411,11 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser CFX_ByteTextBuf sLine; FX_INT32 nCharArray = m_pEdit->GetCharArray(); + FX_SAFE_INT32 nCharArraySafe = nCharArray; + nCharArraySafe -= 1; + nCharArraySafe *= 2; - if (nCharArray > 0) + if (nCharArray > 0 && nCharArraySafe.IsValid()) { switch (GetBorderStyle()) { @@ -422,7 +425,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser gsd.m_LineWidth = (FX_FLOAT)GetBorderWidth(); CFX_PathData path; - path.SetPointCount((nCharArray-1)*2); + if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) { + return; + } for (FX_INT32 i=0; i<nCharArray-1; i++) { @@ -447,7 +452,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser gsd.m_DashPhase = (FX_FLOAT)GetBorderDash().nPhase; CFX_PathData path; - path.SetPointCount((nCharArray-1)*2); + if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) { + return; + } for (FX_INT32 i=0; i<nCharArray-1; i++) { |