From 229d05df5bc5deb3890b26b614113c25d9b6935e Mon Sep 17 00:00:00 2001 From: weili Date: Thu, 11 Aug 2016 19:43:58 -0700 Subject: Fix an integer overflow in CStretchEngine constructor When the source bitmap's width and height are large, the multiplication could easily overflow a signed integer. Change to use 'long long' type for calculation to avoid that. BUG=chromium:635663 Review-Url: https://codereview.chromium.org/2240723002 --- BUILD.gn | 1 + core/fxge/dib/fx_dib_engine.cpp | 4 ++-- core/fxge/dib/fx_dib_engine_unittest.cpp | 30 ++++++++++++++++++++++++++++++ pdfium.gyp | 1 + 4 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 core/fxge/dib/fx_dib_engine_unittest.cpp diff --git a/BUILD.gn b/BUILD.gn index 8d9dd8167e..a4a3e8dd65 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -1572,6 +1572,7 @@ test("pdfium_unittests") { "core/fxcrt/fx_bidi_unittest.cpp", "core/fxcrt/fx_extension_unittest.cpp", "core/fxcrt/fx_system_unittest.cpp", + "core/fxge/dib/fx_dib_engine_unittest.cpp", "fpdfsdk/fpdfdoc_unittest.cpp", "fpdfsdk/fpdfeditimg_unittest.cpp", ] diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp index 520148fc77..88b0d4b271 100644 --- a/core/fxge/dib/fx_dib_engine.cpp +++ b/core/fxge/dib/fx_dib_engine.cpp @@ -306,8 +306,8 @@ CStretchEngine::CStretchEngine(IFX_ScanlineComposer* pDestBitmap, FX_BOOL bInterpol = flags & FXDIB_INTERPOL || flags & FXDIB_BICUBIC_INTERPOL; if (!bInterpol && FXSYS_abs(dest_width) != 0 && - FXSYS_abs(dest_height) < - m_SrcWidth * m_SrcHeight * 8 / FXSYS_abs(dest_width)) { + FXSYS_abs(dest_height) / 8 < static_cast(m_SrcWidth) * + m_SrcHeight / FXSYS_abs(dest_width)) { flags = FXDIB_INTERPOL; } m_Flags = flags; diff --git a/core/fxge/dib/fx_dib_engine_unittest.cpp b/core/fxge/dib/fx_dib_engine_unittest.cpp new file mode 100644 index 0000000000..d185adf49d --- /dev/null +++ b/core/fxge/dib/fx_dib_engine_unittest.cpp @@ -0,0 +1,30 @@ +// Copyright 2016 PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include + +#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_number.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" +#include "core/fpdfapi/fpdf_render/render_int.h" +#include "core/fxcrt/include/fx_memory.h" +#include "core/fxge/dib/dib_int.h" +#include "core/fxge/include/fx_dib.h" +#include "testing/gtest/include/gtest/gtest.h" + +TEST(CStretchEngine, OverflowInCtor) { + FX_RECT clip_rect; + std::unique_ptr> dict_obj( + new CPDF_Dictionary); + dict_obj->SetAt("Width", new CPDF_Number(71000)); + dict_obj->SetAt("Height", new CPDF_Number(12500)); + std::unique_ptr> stream( + new CPDF_Stream(nullptr, 0, dict_obj.release())); + CPDF_DIBSource dib_source; + dib_source.Load(nullptr, stream.get(), nullptr, nullptr, nullptr, nullptr, + false, 0, false); + CStretchEngine engine(nullptr, FXDIB_8bppRgb, 500, 500, clip_rect, + &dib_source, 0); + EXPECT_EQ(FXDIB_INTERPOL, engine.m_Flags); +} diff --git a/pdfium.gyp b/pdfium.gyp index 1cc8758bd9..f04ce42d4f 100644 --- a/pdfium.gyp +++ b/pdfium.gyp @@ -949,6 +949,7 @@ 'core/fxcrt/fx_bidi_unittest.cpp', 'core/fxcrt/fx_extension_unittest.cpp', 'core/fxcrt/fx_system_unittest.cpp', + 'core/fxge/dib/fx_dib_engine_unittest.cpp', 'fpdfsdk/fpdfdoc_unittest.cpp', 'fpdfsdk/fpdfeditimg_unittest.cpp', 'testing/fx_string_testhelpers.h', -- cgit v1.2.3