From 89063ecda876e3be7df5935860235eb5f8199ded Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Wed, 18 Jul 2018 00:56:29 +0000
Subject: Improve image size validation in CPDF_ScaledRenderBuffer.

In CPDF_ScaledRenderBuffer::Initialize(), use the existing
CFX_DIBitmap::CalculatePitchAndSize() function to figure out the pitch
and size. Unlike the existing code, CalculatePitchAndSize() does a
better job of checking for integer overflows.

BUG=pdfium:1123

Change-Id: Ic8fe7226bc56fed0456486d88e02a7af2928bc94
Reviewed-on: https://pdfium-review.googlesource.com/38010
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp b/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp
index 2d86024787..6f6aa7c404 100644
--- a/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp
+++ b/core/fpdfapi/render/cpdf_scaledrenderbuffer.cpp
@@ -12,7 +12,11 @@
 #include "core/fxge/dib/cfx_dibitmap.h"
 #include "third_party/base/ptr_util.h"
 
-#define _FPDFAPI_IMAGESIZE_LIMIT_ (30 * 1024 * 1024)
+namespace {
+
+constexpr size_t kImageSizeLimitBytes = 30 * 1024 * 1024;
+
+}  // namespace
 
 CPDF_ScaledRenderBuffer::CPDF_ScaledRenderBuffer() {}
 
@@ -54,14 +58,18 @@ bool CPDF_ScaledRenderBuffer::Initialize(CPDF_RenderContext* pContext,
   while (1) {
     FX_RECT bitmap_rect =
         m_Matrix.TransformRect(CFX_FloatRect(pRect)).GetOuterRect();
-    int32_t iWidth = bitmap_rect.Width();
-    int32_t iHeight = bitmap_rect.Height();
-    int32_t iPitch = (iWidth * bpp + 31) / 32 * 4;
-    if (iWidth * iHeight < 1)
+    int32_t width = bitmap_rect.Width();
+    int32_t height = bitmap_rect.Height();
+    // Set to 0 to make CalculatePitchAndSize() calculate it.
+    uint32_t pitch = 0;
+    uint32_t size;
+    if (!CFX_DIBitmap::CalculatePitchAndSize(width, height, dibFormat, &pitch,
+                                             &size)) {
       return false;
+    }
 
-    if (iPitch * iHeight <= _FPDFAPI_IMAGESIZE_LIMIT_ &&
-        m_pBitmapDevice->Create(iWidth, iHeight, dibFormat, nullptr)) {
+    if (size <= kImageSizeLimitBytes &&
+        m_pBitmapDevice->Create(width, height, dibFormat, nullptr)) {
       break;
     }
     m_Matrix.Scale(0.5f, 0.5f);
-- 
cgit v1.2.3