From ed6485f1aa4ce9de8b5cab86cc844df4f4bd0b52 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 24 Oct 2016 13:39:02 -0700
Subject: M55: Strengthen bounds check in CWeightTable::Calc * part II

This CL implemented a better version of CWeightTable::GetPixelWeightSize(), which will calculate the size of array PixelWeight.m_Weights correctly to prevent potential heap buffer overflow conditions.

BUG=chromium:654183
TBR=tsepez@chromium.org

Review-Url: https://codereview.chromium.org/2404453003
(cherry picked from commit 05923132ae08d45fbe957219775a48c55ee57aef)

Review URL: https://codereview.chromium.org/2448613002 .
---
 core/fxge/dib/fx_dib_engine.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp
index 389cf23909..47dcf03259 100644
--- a/core/fxge/dib/fx_dib_engine.cpp
+++ b/core/fxge/dib/fx_dib_engine.cpp
@@ -43,7 +43,7 @@ CWeightTable::~CWeightTable() {
 }
 
 size_t CWeightTable::GetPixelWeightSize() const {
-  return m_dwWeightTablesSize / sizeof(int);
+  return m_ItemSize / sizeof(int) - 2;
 }
 
 bool CWeightTable::Calc(int dest_len,
-- 
cgit v1.2.3