From f04b7f1c438bf9f9e41a1925c6bcaa378c082ee1 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 9 Jan 2017 13:39:05 -0500
Subject: Check validity of width and height in
 CCodec_TiffContext::LoadFrameInfo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We are using pdfium::base::checked_cast to get the width and height,
but we may overflow and abort. Therefore, we should instead early
return if the obtained width and height are not valid int32_t's.

BUG=655056

Change-Id: Ic0c6b88a16dc3d547fe82736bb14ed3122cd356a
Reviewed-on: https://pdfium-review.googlesource.com/2160
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 core/fxcodec/codec/fx_codec_tiff.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index be9c7d447f..cf38d71b37 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -267,8 +267,13 @@ bool CCodec_TiffContext::LoadFrameInfo(int32_t frame,
     Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MAKE, pAttribute);
     Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MODEL, pAttribute);
   }
-  *width = pdfium::base::checked_cast<int32_t>(tif_width);
-  *height = pdfium::base::checked_cast<int32_t>(tif_height);
+  pdfium::base::CheckedNumeric<int32_t> checked_width = tif_width;
+  pdfium::base::CheckedNumeric<int32_t> checked_height = tif_height;
+  if (!checked_width.IsValid() || !checked_height.IsValid())
+    return false;
+
+  *width = checked_width.ValueOrDie();
+  *height = checked_height.ValueOrDie();
   *comps = tif_comps;
   *bpc = tif_bpc;
   if (tif_rps > tif_height) {
-- 
cgit v1.2.3