From e21501d9427539828b5d547b9d20a752d06914aa Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Tue, 2 Aug 2016 13:36:16 -0700
Subject: Bound total pixels in JBig2 images to avoid overflows later.

Also make these private to ensure they aren't modified so as to
violate the bounds checks applied at creation time.

BUG=633002

Review-Url: https://codereview.chromium.org/2202013002
---
 core/fxcodec/jbig2/JBig2_Context.cpp | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'core/fxcodec/jbig2/JBig2_Context.cpp')

diff --git a/core/fxcodec/jbig2/JBig2_Context.cpp b/core/fxcodec/jbig2/JBig2_Context.cpp
index 256ce3910a..911eb0bf63 100644
--- a/core/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/fxcodec/jbig2/JBig2_Context.cpp
@@ -924,7 +924,7 @@ int32_t CJBig2_Context::parseTextRegion(CJBig2_Segment* pSegment) {
     if (!m_bBufSpecified) {
       JBig2PageInfo* pPageInfo = m_PageInfoList.back();
       if ((pPageInfo->m_bIsStriped == 1) &&
-          (ri.y + ri.height > m_pPage->m_nHeight)) {
+          (ri.y + ri.height > m_pPage->height())) {
         m_pPage->expand(ri.y + ri.height, (pPageInfo->m_cFlags & 4) ? 1 : 0);
       }
     }
@@ -1015,8 +1015,8 @@ int32_t CJBig2_Context::parseHalftoneRegion(CJBig2_Segment* pSegment,
 
   pHRD->HNUMPATS = pPatternDict->NUMPATS;
   pHRD->HPATS = pPatternDict->HDPATS;
-  pHRD->HPW = pPatternDict->HDPATS[0]->m_nWidth;
-  pHRD->HPH = pPatternDict->HDPATS[0]->m_nHeight;
+  pHRD->HPW = pPatternDict->HDPATS[0]->width();
+  pHRD->HPH = pPatternDict->HDPATS[0]->height();
   pSegment->m_nResultType = JBIG2_IMAGE_POINTER;
   if (pHRD->HMMR == 0) {
     const size_t size = GetHuffContextSize(pHRD->HTEMPLATE);
@@ -1042,7 +1042,7 @@ int32_t CJBig2_Context::parseHalftoneRegion(CJBig2_Segment* pSegment,
     if (!m_bBufSpecified) {
       JBig2PageInfo* pPageInfo = m_PageInfoList.back();
       if (pPageInfo->m_bIsStriped == 1 &&
-          ri.y + ri.height > m_pPage->m_nHeight) {
+          ri.y + ri.height > m_pPage->height()) {
         m_pPage->expand(ri.y + ri.height, (pPageInfo->m_cFlags & 4) ? 1 : 0);
       }
     }
@@ -1108,7 +1108,7 @@ int32_t CJBig2_Context::parseGenericRegion(CJBig2_Segment* pSegment,
         if (!m_bBufSpecified) {
           JBig2PageInfo* pPageInfo = m_PageInfoList.back();
           if ((pPageInfo->m_bIsStriped == 1) &&
-              (m_ri.y + m_ri.height > m_pPage->m_nHeight)) {
+              (m_ri.y + m_ri.height > m_pPage->height())) {
             m_pPage->expand(m_ri.y + m_ri.height,
                             (pPageInfo->m_cFlags & 4) ? 1 : 0);
           }
@@ -1142,7 +1142,7 @@ int32_t CJBig2_Context::parseGenericRegion(CJBig2_Segment* pSegment,
     if (!m_bBufSpecified) {
       JBig2PageInfo* pPageInfo = m_PageInfoList.back();
       if ((pPageInfo->m_bIsStriped == 1) &&
-          (m_ri.y + m_ri.height > m_pPage->m_nHeight)) {
+          (m_ri.y + m_ri.height > m_pPage->height())) {
         m_pPage->expand(m_ri.y + m_ri.height,
                         (pPageInfo->m_cFlags & 4) ? 1 : 0);
       }
@@ -1215,7 +1215,7 @@ int32_t CJBig2_Context::parseGenericRefinementRegion(CJBig2_Segment* pSegment) {
     if (!m_bBufSpecified) {
       JBig2PageInfo* pPageInfo = m_PageInfoList.back();
       if ((pPageInfo->m_bIsStriped == 1) &&
-          (ri.y + ri.height > m_pPage->m_nHeight)) {
+          (ri.y + ri.height > m_pPage->height())) {
         m_pPage->expand(ri.y + ri.height, (pPageInfo->m_cFlags & 4) ? 1 : 0);
       }
     }
-- 
cgit v1.2.3