From 05923132ae08d45fbe957219775a48c55ee57aef Mon Sep 17 00:00:00 2001 From: stackexploit Date: Mon, 17 Oct 2016 00:16:23 -0700 Subject: Strengthen bounds check in CWeightTable::Calc * part II This CL implemented a better version of CWeightTable::GetPixelWeightSize(), which will calculate the size of array PixelWeight.m_Weights correctly to prevent potential heap buffer overflow conditions. BUG=chromium:654183 R=ochang@chromium.org, thestig@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2404453003 --- core/fxge/dib/fx_dib_engine.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp index 389cf23909..47dcf03259 100644 --- a/core/fxge/dib/fx_dib_engine.cpp +++ b/core/fxge/dib/fx_dib_engine.cpp @@ -43,7 +43,7 @@ CWeightTable::~CWeightTable() { } size_t CWeightTable::GetPixelWeightSize() const { - return m_dwWeightTablesSize / sizeof(int); + return m_ItemSize / sizeof(int) - 2; } bool CWeightTable::Calc(int dest_len, -- cgit v1.2.3