From e21501d9427539828b5d547b9d20a752d06914aa Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Tue, 2 Aug 2016 13:36:16 -0700
Subject: Bound total pixels in JBig2 images to avoid overflows later.

Also make these private to ensure they aren't modified so as to
violate the bounds checks applied at creation time.

BUG=633002

Review-Url: https://codereview.chromium.org/2202013002
---
 core/fxcodec/jbig2/JBig2_GrrdProc.cpp | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'core/fxcodec/jbig2/JBig2_GrrdProc.cpp')

diff --git a/core/fxcodec/jbig2/JBig2_GrrdProc.cpp b/core/fxcodec/jbig2/JBig2_GrrdProc.cpp
index 25c9ea2d8a..672692da54 100644
--- a/core/fxcodec/jbig2/JBig2_GrrdProc.cpp
+++ b/core/fxcodec/jbig2/JBig2_GrrdProc.cpp
@@ -20,13 +20,13 @@ CJBig2_Image* CJBig2_GRRDProc::decode(CJBig2_ArithDecoder* pArithDecoder,
   if (GRTEMPLATE == 0) {
     if ((GRAT[0] == -1) && (GRAT[1] == -1) && (GRAT[2] == -1) &&
         (GRAT[3] == -1) && (GRREFERENCEDX == 0) &&
-        (GRW == (uint32_t)GRREFERENCE->m_nWidth)) {
+        (GRW == (uint32_t)GRREFERENCE->width())) {
       return decode_Template0_opt(pArithDecoder, grContext);
     }
     return decode_Template0_unopt(pArithDecoder, grContext);
   }
 
-  if ((GRREFERENCEDX == 0) && (GRW == (uint32_t)GRREFERENCE->m_nWidth))
+  if ((GRREFERENCEDX == 0) && (GRW == (uint32_t)GRREFERENCE->width()))
     return decode_Template1_opt(pArithDecoder, grContext);
   return decode_Template1_unopt(pArithDecoder, grContext);
 }
@@ -162,10 +162,10 @@ CJBig2_Image* CJBig2_GRRDProc::decode_Template0_opt(
   FX_BOOL LTP = FALSE;
   uint8_t* pLine = GRREG->m_pData;
   uint8_t* pLineR = GRREFERENCE->m_pData;
-  intptr_t nStride = GRREG->m_nStride;
-  intptr_t nStrideR = GRREFERENCE->m_nStride;
-  int32_t GRWR = GRREFERENCE->m_nWidth;
-  int32_t GRHR = GRREFERENCE->m_nHeight;
+  intptr_t nStride = GRREG->stride();
+  intptr_t nStrideR = GRREFERENCE->stride();
+  int32_t GRWR = GRREFERENCE->width();
+  int32_t GRHR = GRREFERENCE->height();
   if (GRREFERENCEDY < -GRHR + 1 || GRREFERENCEDY > GRHR - 1)
     GRREFERENCEDY = 0;
   intptr_t nOffset = -GRREFERENCEDY * nStrideR;
@@ -396,10 +396,10 @@ CJBig2_Image* CJBig2_GRRDProc::decode_Template1_opt(
   FX_BOOL LTP = FALSE;
   uint8_t* pLine = GRREG->m_pData;
   uint8_t* pLineR = GRREFERENCE->m_pData;
-  intptr_t nStride = GRREG->m_nStride;
-  intptr_t nStrideR = GRREFERENCE->m_nStride;
-  int32_t GRWR = GRREFERENCE->m_nWidth;
-  int32_t GRHR = GRREFERENCE->m_nHeight;
+  intptr_t nStride = GRREG->stride();
+  intptr_t nStrideR = GRREFERENCE->stride();
+  int32_t GRWR = GRREFERENCE->width();
+  int32_t GRHR = GRREFERENCE->height();
   if (GRREFERENCEDY < -GRHR + 1 || GRREFERENCEDY > GRHR - 1) {
     GRREFERENCEDY = 0;
   }
-- 
cgit v1.2.3