From 229d05df5bc5deb3890b26b614113c25d9b6935e Mon Sep 17 00:00:00 2001 From: weili Date: Thu, 11 Aug 2016 19:43:58 -0700 Subject: Fix an integer overflow in CStretchEngine constructor When the source bitmap's width and height are large, the multiplication could easily overflow a signed integer. Change to use 'long long' type for calculation to avoid that. BUG=chromium:635663 Review-Url: https://codereview.chromium.org/2240723002 --- core/fxge/dib/fx_dib_engine_unittest.cpp | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 core/fxge/dib/fx_dib_engine_unittest.cpp (limited to 'core/fxge/dib/fx_dib_engine_unittest.cpp') diff --git a/core/fxge/dib/fx_dib_engine_unittest.cpp b/core/fxge/dib/fx_dib_engine_unittest.cpp new file mode 100644 index 0000000000..d185adf49d --- /dev/null +++ b/core/fxge/dib/fx_dib_engine_unittest.cpp @@ -0,0 +1,30 @@ +// Copyright 2016 PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include + +#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_number.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" +#include "core/fpdfapi/fpdf_render/render_int.h" +#include "core/fxcrt/include/fx_memory.h" +#include "core/fxge/dib/dib_int.h" +#include "core/fxge/include/fx_dib.h" +#include "testing/gtest/include/gtest/gtest.h" + +TEST(CStretchEngine, OverflowInCtor) { + FX_RECT clip_rect; + std::unique_ptr> dict_obj( + new CPDF_Dictionary); + dict_obj->SetAt("Width", new CPDF_Number(71000)); + dict_obj->SetAt("Height", new CPDF_Number(12500)); + std::unique_ptr> stream( + new CPDF_Stream(nullptr, 0, dict_obj.release())); + CPDF_DIBSource dib_source; + dib_source.Load(nullptr, stream.get(), nullptr, nullptr, nullptr, nullptr, + false, 0, false); + CStretchEngine engine(nullptr, FXDIB_8bppRgb, 500, 500, clip_rect, + &dib_source, 0); + EXPECT_EQ(FXDIB_INTERPOL, engine.m_Flags); +} -- cgit v1.2.3