From b1f5545e34375a5947004ee92cc808b3df9d4a5b Mon Sep 17 00:00:00 2001 From: dsinclair Date: Wed, 7 Sep 2016 13:53:51 -0700 Subject: Verify pattern start values. When calculating the starting x and y for a pattern it is possible to overflow the int value. Use checked math to make sure we don't overflow. BUG=chromium:637984 Review-Url: https://codereview.chromium.org/2317283002 --- core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp index 090060d2c0..afcaa8dd19 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_pattern.cpp @@ -1138,8 +1138,19 @@ void CPDF_RenderStatus::DrawTilingPattern(CPDF_TilingPattern* pPattern, FX_FLOAT orig_x = col * pPattern->x_step(); FX_FLOAT orig_y = row * pPattern->y_step(); mtPattern2Device.Transform(orig_x, orig_y); - start_x = FXSYS_round(orig_x + left_offset) - clip_box.left; - start_y = FXSYS_round(orig_y + top_offset) - clip_box.top; + + pdfium::base::CheckedNumeric safeStartX = + FXSYS_round(orig_x + left_offset); + pdfium::base::CheckedNumeric safeStartY = + FXSYS_round(orig_y + top_offset); + + safeStartX -= clip_box.left; + safeStartY -= clip_box.top; + if (!safeStartX.IsValid() || !safeStartY.IsValid()) + return; + + start_x = safeStartX.ValueOrDefault(0); + start_y = safeStartY.ValueOrDefault(0); } if (width == 1 && height == 1) { if (start_x < 0 || start_x >= clip_box.Width() || start_y < 0 || -- cgit v1.2.3