From a94019dc7299133ef3dbb075e05e52ac047b67b3 Mon Sep 17 00:00:00 2001 From: Bo Xu Date: Mon, 18 Aug 2014 11:33:03 -0700 Subject: Check path point count overflow in DrawThisAppearance BUG=387969 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/461343003 --- fpdfsdk/src/pdfwindow/PWL_Edit.cpp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp index df59c2ccc8..dfdbf64f0e 100644 --- a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp +++ b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp @@ -411,8 +411,11 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser CFX_ByteTextBuf sLine; FX_INT32 nCharArray = m_pEdit->GetCharArray(); + FX_SAFE_INT32 nCharArraySafe = nCharArray; + nCharArraySafe -= 1; + nCharArraySafe *= 2; - if (nCharArray > 0) + if (nCharArray > 0 && nCharArraySafe.IsValid()) { switch (GetBorderStyle()) { @@ -422,7 +425,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser gsd.m_LineWidth = (FX_FLOAT)GetBorderWidth(); CFX_PathData path; - path.SetPointCount((nCharArray-1)*2); + if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) { + return; + } for (FX_INT32 i=0; i