From fb362089d952950212ccf159f86a46923f223172 Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 9 Aug 2016 06:50:28 -0700
Subject: Fixup various overflow conditions

There were several overflows detected by the PDF from the linked bug. This
Cl fixes up the base causes of each of them.

BUG=chromium:635473

Review-Url: https://codereview.chromium.org/2226023002
---
 core/fxcrt/include/fx_coordinates.h            |  8 +++++++
 core/fxge/ge/fx_ge_device.cpp                  |  7 ++++++
 third_party/agg23/0002-ubsan-error-fixes.patch | 33 ++++++++++++++++++++++++++
 third_party/agg23/README.pdfium                |  1 +
 third_party/agg23/agg_clip_liang_barsky.h      | 15 ++++++++++--
 5 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 third_party/agg23/0002-ubsan-error-fixes.patch

diff --git a/core/fxcrt/include/fx_coordinates.h b/core/fxcrt/include/fx_coordinates.h
index eff2a7258a..ce97f6f6f3 100644
--- a/core/fxcrt/include/fx_coordinates.h
+++ b/core/fxcrt/include/fx_coordinates.h
@@ -150,6 +150,14 @@ struct FX_RECT {
   int Height() const { return bottom - top; }
   bool IsEmpty() const { return right <= left || bottom <= top; }
 
+  bool Valid() const {
+    pdfium::base::CheckedNumeric<int> w = right;
+    pdfium::base::CheckedNumeric<int> h = bottom;
+    w -= left;
+    h -= top;
+    return w.IsValid() && h.IsValid();
+  }
+
   void Normalize();
 
   void Intersect(const FX_RECT& src);
diff --git a/core/fxge/ge/fx_ge_device.cpp b/core/fxge/ge/fx_ge_device.cpp
index 36d2920b49..7cf11e7a1f 100644
--- a/core/fxge/ge/fx_ge_device.cpp
+++ b/core/fxge/ge/fx_ge_device.cpp
@@ -170,6 +170,13 @@ FX_BOOL CFX_RenderDevice::DrawPathWithBlend(
     if (!(fill_mode & FXFILL_RECT_AA) &&
         pPathData->IsRect(pObject2Device, &rect_f)) {
       FX_RECT rect_i = rect_f.GetOutterRect();
+
+      // Depending on the top/bottom, left/right values of the rect it's
+      // possible to overflow the Width() and Height() calculations. Check that
+      // the rect will have valid dimension before continuing.
+      if (!rect_i.Valid())
+        return FALSE;
+
       int width = (int)FXSYS_ceil(rect_f.right - rect_f.left);
       if (width < 1) {
         width = 1;
diff --git a/third_party/agg23/0002-ubsan-error-fixes.patch b/third_party/agg23/0002-ubsan-error-fixes.patch
new file mode 100644
index 0000000000..00ced0071c
--- /dev/null
+++ b/third_party/agg23/0002-ubsan-error-fixes.patch
@@ -0,0 +1,33 @@
+diff --git a/third_party/agg23/agg_clip_liang_barsky.h b/third_party/agg23/agg_clip_liang_barsky.h
+index db6ca97..5b1261f 100644
+--- a/third_party/agg23/agg_clip_liang_barsky.h
++++ b/third_party/agg23/agg_clip_liang_barsky.h
+@@ -20,6 +20,7 @@
+ #ifndef AGG_CLIP_LIANG_BARSKY_INCLUDED
+ #define AGG_CLIP_LIANG_BARSKY_INCLUDED
+ #include "agg_basics.h"
++#include "third_party/base/numerics/safe_math.h"
+ namespace agg
+ {
+ template<class T>
+@@ -36,8 +37,18 @@ inline unsigned clip_liang_barsky(T x1, T y1, T x2, T y2,
+                                   T* x, T* y)
+ {
+     const FX_FLOAT nearzero = 1e-30f;
+-    FX_FLOAT deltax = (FX_FLOAT)(x2 - x1);
+-    FX_FLOAT deltay = (FX_FLOAT)(y2 - y1);
++
++    pdfium::base::CheckedNumeric<FX_FLOAT> width = x2;
++    width -= x1;
++    if (!width.IsValid())
++        return 0;
++    pdfium::base::CheckedNumeric<FX_FLOAT> height = y2;
++    height -= y1;
++    if (!height.IsValid())
++        return 0;
++
++    FX_FLOAT deltax = width.ValueOrDefault(0);
++    FX_FLOAT deltay = height.ValueOrDefault(0);
+     unsigned np = 0;
+     if(deltax == 0) {
+         deltax = (x1 > clip_box.x1) ? -nearzero : nearzero;
diff --git a/third_party/agg23/README.pdfium b/third_party/agg23/README.pdfium
index 3b73d4d4d3..8e055d2079 100644
--- a/third_party/agg23/README.pdfium
+++ b/third_party/agg23/README.pdfium
@@ -14,3 +14,4 @@ Various changes to use FX_ library functions.
 Possibly more?
 0001-gcc-warning.patch: Fix a GCC warning about both enumeral and
 non-enumeral type in conditional.
+0002-ubsan-error-fixes.path: Fix UBSan errors for overflows.
diff --git a/third_party/agg23/agg_clip_liang_barsky.h b/third_party/agg23/agg_clip_liang_barsky.h
index db6ca97505..5b1261f004 100644
--- a/third_party/agg23/agg_clip_liang_barsky.h
+++ b/third_party/agg23/agg_clip_liang_barsky.h
@@ -20,6 +20,7 @@
 #ifndef AGG_CLIP_LIANG_BARSKY_INCLUDED
 #define AGG_CLIP_LIANG_BARSKY_INCLUDED
 #include "agg_basics.h"
+#include "third_party/base/numerics/safe_math.h"
 namespace agg
 {
 template<class T>
@@ -36,8 +37,18 @@ inline unsigned clip_liang_barsky(T x1, T y1, T x2, T y2,
                                   T* x, T* y)
 {
     const FX_FLOAT nearzero = 1e-30f;
-    FX_FLOAT deltax = (FX_FLOAT)(x2 - x1);
-    FX_FLOAT deltay = (FX_FLOAT)(y2 - y1);
+
+    pdfium::base::CheckedNumeric<FX_FLOAT> width = x2;
+    width -= x1;
+    if (!width.IsValid())
+        return 0;
+    pdfium::base::CheckedNumeric<FX_FLOAT> height = y2;
+    height -= y1;
+    if (!height.IsValid())
+        return 0;
+
+    FX_FLOAT deltax = width.ValueOrDefault(0);
+    FX_FLOAT deltay = height.ValueOrDefault(0);
     unsigned np = 0;
     if(deltax == 0) {
         deltax = (x1 > clip_box.x1) ? -nearzero : nearzero;
-- 
cgit v1.2.3