From fb362089d952950212ccf159f86a46923f223172 Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 9 Aug 2016 06:50:28 -0700
Subject: Fixup various overflow conditions

There were several overflows detected by the PDF from the linked bug. This
Cl fixes up the base causes of each of them.

BUG=chromium:635473

Review-Url: https://codereview.chromium.org/2226023002
---
 core/fxge/ge/fx_ge_device.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'core/fxge')

diff --git a/core/fxge/ge/fx_ge_device.cpp b/core/fxge/ge/fx_ge_device.cpp
index 36d2920b49..7cf11e7a1f 100644
--- a/core/fxge/ge/fx_ge_device.cpp
+++ b/core/fxge/ge/fx_ge_device.cpp
@@ -170,6 +170,13 @@ FX_BOOL CFX_RenderDevice::DrawPathWithBlend(
     if (!(fill_mode & FXFILL_RECT_AA) &&
         pPathData->IsRect(pObject2Device, &rect_f)) {
       FX_RECT rect_i = rect_f.GetOutterRect();
+
+      // Depending on the top/bottom, left/right values of the rect it's
+      // possible to overflow the Width() and Height() calculations. Check that
+      // the rect will have valid dimension before continuing.
+      if (!rect_i.Valid())
+        return FALSE;
+
       int width = (int)FXSYS_ceil(rect_f.right - rect_f.left);
       if (width < 1) {
         width = 1;
-- 
cgit v1.2.3