From 5aed0216ad6574944e76a95ef0dbbc910bab4a1a Mon Sep 17 00:00:00 2001
From: stackexploit <stackexploit@gmail.com>
Date: Mon, 26 Sep 2016 13:54:55 -0700
Subject: Strengthen bounds check in CWeightTable::Calc.

The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize),
but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)|
 in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr|
 in function CWeightTable::GetValueFromPixelWeight() were insufficient.

This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights.

BUG=chromium:619398
R=ochang@chromium.org, thestig@chromium.org

Review-Url: https://codereview.chromium.org/2322903002
---
 core/fxge/dib/dib_int.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'core/fxge/dib/dib_int.h')

diff --git a/core/fxge/dib/dib_int.h b/core/fxge/dib/dib_int.h
index aa4a7927fb..31ccc8d371 100644
--- a/core/fxge/dib/dib_int.h
+++ b/core/fxge/dib/dib_int.h
@@ -55,6 +55,7 @@ class CWeightTable {
             int flags);
   PixelWeight* GetPixelWeight(int pixel) const;
   int* GetValueFromPixelWeight(PixelWeight* pWeight, int index) const;
+  size_t GetPixelWeightSize() const;
 
  private:
   int m_DestMin;
-- 
cgit v1.2.3