From 97dab80731a15a6bd74cdc3caf11f97c3a3be5ed Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Mon, 23 Oct 2017 09:13:58 -0400
Subject: Validate pattern sizes before usage

This CL adds some validation into the tiling pattern drawing code.

BUG: chromium:775365
Change-Id: I7bcad7f7f2c83982cd955f92091658b46f6b820b
Reviewed-on: https://pdfium-review.googlesource.com/16190
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/render/cpdf_renderstatus.cpp | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index 24ac1357b2..0bf03d27c9 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -7,6 +7,8 @@
 #include "core/fpdfapi/render/cpdf_renderstatus.h"
 
 #include <algorithm>
+#include <cmath>
+#include <limits>
 #include <memory>
 #include <utility>
 #include <vector>
@@ -2229,11 +2231,21 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern,
       (mtPattern2Device.IsScaled() || mtPattern2Device.Is90Rotated());
 
   CFX_FloatRect cell_bbox = mtPattern2Device.TransformRect(pPattern->bbox());
-  int width = static_cast<int>(ceil(cell_bbox.Width()));
-  int height = static_cast<int>(ceil(cell_bbox.Height()));
-  if (width == 0)
+
+  float ceil_height = std::ceil(cell_bbox.Height());
+  float ceil_width = std::ceil(cell_bbox.Width());
+
+  // Validate the float will fit into the int when the conversion is done.
+  if (!pdfium::base::IsValueInRangeForNumericType<int>(ceil_height) ||
+      !pdfium::base::IsValueInRangeForNumericType<int>(ceil_width)) {
+    return;
+  }
+
+  int width = static_cast<int>(ceil_width);
+  int height = static_cast<int>(ceil_height);
+  if (width <= 0)
     width = 1;
-  if (height == 0)
+  if (height <= 0)
     height = 1;
 
   CFX_FloatRect clip_box_p =
@@ -2247,6 +2259,10 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern,
   int max_row = (int)floor((clip_box_p.top - pPattern->bbox().bottom) /
                            pPattern->y_step());
 
+  // Make sure we can fit the needed width * height into an int.
+  if (height > std::numeric_limits<int>::max() / width)
+    return;
+
   if (width > clip_box.Width() || height > clip_box.Height() ||
       width * height > clip_box.Width() * clip_box.Height()) {
     std::unique_ptr<CPDF_GraphicStates> pStates;
-- 
cgit v1.2.3