From 59f4b44d1fbb259967ea518e0bf5fa76b0cc9767 Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Tue, 19 May 2015 14:44:13 -0700 Subject: Fix Heap Overflow in CJBig2_Image::expand Integer overflow in CJBig2_Image::expand. It causes the size of reallocated is not expected. BUG=483981 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1131023008 --- core/src/fxcodec/jbig2/JBig2_Image.cpp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/core/src/fxcodec/jbig2/JBig2_Image.cpp b/core/src/fxcodec/jbig2/JBig2_Image.cpp index 5da1fc63d0..03929b84c8 100644 --- a/core/src/fxcodec/jbig2/JBig2_Image.cpp +++ b/core/src/fxcodec/jbig2/JBig2_Image.cpp @@ -4,10 +4,12 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com -#include "JBig2_Image.h" +#include #include "../../../include/fxcrt/fx_basic.h" #include "../../../include/fxcrt/fx_coordinates.h" -#include +#include "../../../src/fxcrt/fx_safe_types.h" +#include "JBig2_Image.h" + CJBig2_Image::CJBig2_Image(FX_INT32 w, FX_INT32 h) { m_nWidth = w; @@ -768,7 +770,12 @@ void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v) if (!m_pData) { return; } - m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, h * m_nStride); + FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast(h); + safeMemSize *= pdfium::base::checked_cast(m_nStride); + if (!safeMemSize.IsValid()) { + return; + } + m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie()); if(h > m_nHeight) { JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride); } -- cgit v1.2.3