summaryrefslogtreecommitdiff
path: root/fpdfsdk/src
diff options
context:
space:
mode:
authorBo Xu <bo_xu@foxitsoftware.com>2014-08-18 11:33:03 -0700
committerBo Xu <bo_xu@foxitsoftware.com>2014-08-18 11:33:03 -0700
commita94019dc7299133ef3dbb075e05e52ac047b67b3 (patch)
tree81650be29c86d829003a79b6f73438c307724bfb /fpdfsdk/src
parent91177a4d73be70344caab2a62f6610672165207f (diff)
downloadpdfium-a94019dc7299133ef3dbb075e05e52ac047b67b3.tar.xz
Check path point count overflow in DrawThisAppearance
BUG=387969 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/461343003
Diffstat (limited to 'fpdfsdk/src')
-rw-r--r--fpdfsdk/src/pdfwindow/PWL_Edit.cpp13
1 files changed, 10 insertions, 3 deletions
diff --git a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
index df59c2ccc8..dfdbf64f0e 100644
--- a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
+++ b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
@@ -411,8 +411,11 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
CFX_ByteTextBuf sLine;
FX_INT32 nCharArray = m_pEdit->GetCharArray();
+ FX_SAFE_INT32 nCharArraySafe = nCharArray;
+ nCharArraySafe -= 1;
+ nCharArraySafe *= 2;
- if (nCharArray > 0)
+ if (nCharArray > 0 && nCharArraySafe.IsValid())
{
switch (GetBorderStyle())
{
@@ -422,7 +425,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
gsd.m_LineWidth = (FX_FLOAT)GetBorderWidth();
CFX_PathData path;
- path.SetPointCount((nCharArray-1)*2);
+ if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) {
+ return;
+ }
for (FX_INT32 i=0; i<nCharArray-1; i++)
{
@@ -447,7 +452,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
gsd.m_DashPhase = (FX_FLOAT)GetBorderDash().nPhase;
CFX_PathData path;
- path.SetPointCount((nCharArray-1)*2);
+ if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) {
+ return;
+ }
for (FX_INT32 i=0; i<nCharArray-1; i++)
{