From a94019dc7299133ef3dbb075e05e52ac047b67b3 Mon Sep 17 00:00:00 2001
From: Bo Xu <bo_xu@foxitsoftware.com>
Date: Mon, 18 Aug 2014 11:33:03 -0700
Subject: Check path point count overflow in DrawThisAppearance

BUG=387969
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/461343003
---
 fpdfsdk/src/pdfwindow/PWL_Edit.cpp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
index df59c2ccc8..dfdbf64f0e 100644
--- a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
+++ b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
@@ -411,8 +411,11 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
 	CFX_ByteTextBuf sLine;
 
 	FX_INT32 nCharArray = m_pEdit->GetCharArray();
+	FX_SAFE_INT32 nCharArraySafe = nCharArray;
+	nCharArraySafe -= 1;
+	nCharArraySafe *= 2;
 
-	if (nCharArray > 0)
+	if (nCharArray > 0 && nCharArraySafe.IsValid())
 	{
 		switch (GetBorderStyle())
 		{
@@ -422,7 +425,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
 				gsd.m_LineWidth = (FX_FLOAT)GetBorderWidth();
 
 				CFX_PathData path;
-				path.SetPointCount((nCharArray-1)*2);
+				if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) {
+					return;
+				}
 				
 				for (FX_INT32 i=0; i<nCharArray-1; i++)
 				{					
@@ -447,7 +452,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
 				gsd.m_DashPhase = (FX_FLOAT)GetBorderDash().nPhase;
 
 				CFX_PathData path;
-				path.SetPointCount((nCharArray-1)*2);
+				if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) {
+					return;
+				}
 				
 				for (FX_INT32 i=0; i<nCharArray-1; i++)
 				{					
-- 
cgit v1.2.3