From 2f8568ef91156d2deb8411c427fbb52f880ccc34 Mon Sep 17 00:00:00 2001
From: stackexploit <stackexploit@gmail.com>
Date: Mon, 19 Sep 2016 07:05:50 -0700
Subject: Fix compare between signed and unsigned values in
 CPDF_ImageRenderer::StartDIBSource.

Correct the compare logic in CPDF_ImageRenderer::StartDIBSource() by using size_t instead of int.

BUG=chromium:645036
R=ochang@chromium.org

Review-Url: https://codereview.chromium.org/2323663002
---
 core/fpdfapi/fpdf_render/fpdf_render_image.cpp | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/core/fpdfapi/fpdf_render/fpdf_render_image.cpp b/core/fpdfapi/fpdf_render/fpdf_render_image.cpp
index 6b842198ed..7ac5210291 100644
--- a/core/fpdfapi/fpdf_render/fpdf_render_image.cpp
+++ b/core/fpdfapi/fpdf_render/fpdf_render_image.cpp
@@ -762,9 +762,15 @@ FX_BOOL CPDF_ImageRenderer::DrawMaskedImage() {
 
 FX_BOOL CPDF_ImageRenderer::StartDIBSource() {
   if (!(m_Flags & RENDER_FORCE_DOWNSAMPLE) && m_pDIBSource->GetBPP() > 1) {
-    int image_size = m_pDIBSource->GetBPP() / 8 * m_pDIBSource->GetWidth() *
-                     m_pDIBSource->GetHeight();
-    if (image_size > FPDF_HUGE_IMAGE_SIZE &&
+    FX_SAFE_SIZE_T image_size = m_pDIBSource->GetBPP();
+    image_size /= 8;
+    image_size *= m_pDIBSource->GetWidth();
+    image_size *= m_pDIBSource->GetHeight();
+    if (!image_size.IsValid()) {
+      return FALSE;
+    }
+
+    if (image_size.ValueOrDie() > FPDF_HUGE_IMAGE_SIZE &&
         !(m_Flags & RENDER_FORCE_HALFTONE)) {
       m_Flags |= RENDER_FORCE_DOWNSAMPLE;
     }
-- 
cgit v1.2.3