Merge to M44: Fix Heap Overflow in CJBig2_Image::expand

core/src/fxcodec/jbig2/JBig2_Image.cpp

Index: core/src/fxcodec/jbig2/JBig2_Image.cpp
diff --git a/core/src/fxcodec/jbig2/JBig2_Image.cpp b/core/src/fxcodec/jbig2/JBig2_Image.cpp
index 5da1fc63d0c296c5197ca160488dfdaf2120bb81..03929b84c867d60ad02be257df78f304d4dcef42 100644
--- a/core/src/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Image.cpp
@@ -4,10 +4,12 @@
  
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#include "JBig2_Image.h"
+#include <limits.h>
 #include "../../../include/fxcrt/fx_basic.h"
 #include "../../../include/fxcrt/fx_coordinates.h"
-#include <limits.h>
+#include "../../../src/fxcrt/fx_safe_types.h"
+#include "JBig2_Image.h"
+
 CJBig2_Image::CJBig2_Image(FX_INT32 w, FX_INT32 h)
 {
     m_nWidth	= w;
@@ -768,7 +770,12 @@ void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v)
     if (!m_pData) {
         return;
     }
-    m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, h * m_nStride);
+    FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast<FX_DWORD>(h); 
+    safeMemSize *= pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+    if (!safeMemSize.IsValid()) {
+        return;
+    }
+    m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie());
     if(h > m_nHeight) {
         JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride);
     }