From 4aadb708642003404e666026bb6d390b5989e2b4 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 18 Jan 2018 19:07:58 +0000
Subject: Avoid integer overflows in CJBig2_Image::composeTo_opt2().

BUG=chromium:802983

Change-Id: I866ece9c370bf05571b76b50ad23598f5038332b
Reviewed-on: https://pdfium-review.googlesource.com/23151
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 core/fxcodec/jbig2/JBig2_Image.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/core/fxcodec/jbig2/JBig2_Image.cpp b/core/fxcodec/jbig2/JBig2_Image.cpp
index 13323bac30..b0d75d4d96 100644
--- a/core/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/fxcodec/jbig2/JBig2_Image.cpp
@@ -259,14 +259,18 @@ bool CJBig2_Image::composeTo_opt2(CJBig2_Image* pDst,
 
   int32_t xs0 = x < 0 ? -x : 0;
   int32_t xs1;
-  if (x + m_nWidth > pDst->m_nWidth)
-    xs1 = pDst->m_nWidth - x;
+  FX_SAFE_INT32 iChecked = pDst->m_nWidth;
+  iChecked -= x;
+  if (iChecked.IsValid() && m_nWidth > iChecked.ValueOrDie())
+    xs1 = iChecked.ValueOrDie();
   else
     xs1 = m_nWidth;
 
   int32_t ys0 = y < 0 ? -y : 0;
   int32_t ys1;
-  if (y + m_nHeight > pDst->m_nHeight)
+  iChecked = pDst->m_nHeight;
+  iChecked -= y;
+  if (iChecked.IsValid() && m_nHeight > iChecked.ValueOrDie())
     ys1 = pDst->m_nHeight - y;
   else
     ys1 = m_nHeight;
-- 
cgit v1.2.3