From ab4221c772b4ccf535849062bb8f06c73b94548f Mon Sep 17 00:00:00 2001
From: foxit <jun_fang@foxitsoftware.com>
Date: Mon, 7 Jul 2014 13:53:16 -0700
Subject: Integer overflow in fx_basic.h and fx_memory.h

BUG=382656
R=palmer@chromium.org

Review URL: https://codereview.chromium.org/334573007
---
 core/include/fxcrt/fx_basic.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'core/include/fxcrt/fx_basic.h')

diff --git a/core/include/fxcrt/fx_basic.h b/core/include/fxcrt/fx_basic.h
index 378d6c30a8..bdb1599491 100644
--- a/core/include/fxcrt/fx_basic.h
+++ b/core/include/fxcrt/fx_basic.h
@@ -6,6 +6,10 @@
 
 #ifndef _FX_BASIC_H_
 #define _FX_BASIC_H_
+#ifndef _STDINT_H_ 
+#define _STDINT_H_
+#include <stdint.h>
+#endif
 #ifndef _FX_SYSTEM_H_
 #include "fx_system.h"
 #endif
@@ -18,6 +22,7 @@
 #ifndef _FX_STREAM_H_
 #include "fx_stream.h"
 #endif
+ 
 class CFX_BinaryBuf : public CFX_Object
 {
 public:
@@ -776,6 +781,9 @@ public:
         if (data_size > FixedSize) {
             m_pData = FX_Allocator_Alloc(m_pAllocator, DataType, data_size);
         } else {
+            if (FixedSize > SIZE_MAX/sizeof(DataType))
+                return;
+
             FXSYS_memset32(m_Data, 0, sizeof(DataType)*FixedSize);
         }
     }
@@ -788,6 +796,10 @@ public:
         if (data_size > FixedSize) {
             m_pData = FX_Allocator_Alloc(m_pAllocator, DataType, data_size);
         } else {
+
+            if (FixedSize > SIZE_MAX/sizeof(DataType))
+                return;
+
             FXSYS_memset32(m_Data, 0, sizeof(DataType)*FixedSize);
         }
     }
-- 
cgit v1.2.3