From e7950df70a2fd658f466751b29483436cb31e829 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Fri, 20 Nov 2015 09:53:08 -0800 Subject: Change |CCodec_ScanlineDecoder::m_Pitch| to FX_DWORD This matches the type of the corresponding |CFX_DIBSource::m_Pitch|, where integer overflow is checked for FX_DWORD. This change is propagated to many other places. Also, check for integer overflow in |CCodec_RLScanlineDecoder::Create| during the calculation of |m_Pitch| since it aligns to 4 bytes while overflow was was previously checked without this alignment. R=tsepez@chromium.org, thestig@chromium.org BUG=555784 Review URL: https://codereview.chromium.org/1460033002 . --- core/src/fxcodec/codec/fx_codec_fax.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'core/src/fxcodec/codec/fx_codec_fax.cpp') diff --git a/core/src/fxcodec/codec/fx_codec_fax.cpp b/core/src/fxcodec/codec/fx_codec_fax.cpp index d376fe293b..b198e74784 100644 --- a/core/src/fxcodec/codec/fx_codec_fax.cpp +++ b/core/src/fxcodec/codec/fx_codec_fax.cpp @@ -656,7 +656,8 @@ FX_BOOL CCodec_FaxDecoder::Create(const uint8_t* src_buf, if (m_OrigHeight == 0) { m_OrigHeight = height; } - m_Pitch = (m_OrigWidth + 31) / 32 * 4; + // Should not overflow. Checked by FPDFAPI_CreateFaxDecoder. + m_Pitch = (static_cast(m_OrigWidth) + 31) / 32 * 4; m_OutputWidth = m_OrigWidth; m_OutputHeight = m_OrigHeight; m_pScanlineBuf = FX_Alloc(uint8_t, m_Pitch); @@ -716,7 +717,7 @@ uint8_t* CCodec_FaxDecoder::v_GetNextLine() { } } if (m_bBlack) { - for (int i = 0; i < m_Pitch; i++) { + for (FX_DWORD i = 0; i < m_Pitch; i++) { m_pScanlineBuf[i] = ~m_pScanlineBuf[i]; } } -- cgit v1.2.3