From 59f4b44d1fbb259967ea518e0bf5fa76b0cc9767 Mon Sep 17 00:00:00 2001
From: JUN FANG <jun_fang@foxitsoftware.com>
Date: Tue, 19 May 2015 14:44:13 -0700
Subject: Fix Heap Overflow in CJBig2_Image::expand

Integer overflow in CJBig2_Image::expand.
It causes the size of reallocated is not
expected.

BUG=483981
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1131023008
---
 core/src/fxcodec/jbig2/JBig2_Image.cpp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/core/src/fxcodec/jbig2/JBig2_Image.cpp b/core/src/fxcodec/jbig2/JBig2_Image.cpp
index 5da1fc63d0..03929b84c8 100644
--- a/core/src/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Image.cpp
@@ -4,10 +4,12 @@
  
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#include "JBig2_Image.h"
+#include <limits.h>
 #include "../../../include/fxcrt/fx_basic.h"
 #include "../../../include/fxcrt/fx_coordinates.h"
-#include <limits.h>
+#include "../../../src/fxcrt/fx_safe_types.h"
+#include "JBig2_Image.h"
+
 CJBig2_Image::CJBig2_Image(FX_INT32 w, FX_INT32 h)
 {
     m_nWidth	= w;
@@ -768,7 +770,12 @@ void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v)
     if (!m_pData) {
         return;
     }
-    m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, h * m_nStride);
+    FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast<FX_DWORD>(h); 
+    safeMemSize *= pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+    if (!safeMemSize.IsValid()) {
+        return;
+    }
+    m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie());
     if(h > m_nHeight) {
         JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride);
     }
-- 
cgit v1.2.3