Merge to M44: Integer overflow in CJBig2_Image::expand

core/src/fxcodec/jbig2/JBig2_Image.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
  
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include <limits.h>
 #include "../../../include/fxcrt/fx_basic.h"
 #include "../../../include/fxcrt/fx_coordinates.h"
 #include "../../../src/fxcrt/fx_safe_types.h"
@@ skipping 749 matching lines @@
                 pDst[3] = (FX_BYTE)wTmp;
             }
             pLineSrc += m_nStride;
             pLineDst += pImage->m_nStride;
         }
     }
     return pImage;
 }
 void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v)
 {
-    if (!m_pData) {
+    if (!m_pData || h <= m_nHeight) {
         return;
     }
-    FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast<FX_DWORD>(h); 
-    safeMemSize *= pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+    FX_DWORD dwH = pdfium::base::checked_cast<FX_DWORD>(h);
+    FX_DWORD dwStride = pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+    FX_DWORD dwHeight = pdfium::base::checked_cast<FX_DWORD>(m_nHeight);
+    FX_SAFE_DWORD safeMemSize = dwH; 
+    safeMemSize *= dwStride;
     if (!safeMemSize.IsValid()) {
         return;
     }
+    //The guaranteed reallocated memory is to be < 4GB (unsigned int). 
     m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie());
-    if(h > m_nHeight) {
-        JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride);
-    }
+    //The result of dwHeight * dwStride doesn't overflow after the 
+    //checking of safeMemSize.
+    //The same as the result of (dwH - dwHeight) * dwStride) because
+    //dwH - dwHeight is always less than dwH(h) which is checked in
+    //the calculation of dwH * dwStride. 
+    JBIG2_memset(m_pData + dwHeight * dwStride, v ? 0xff : 0, (dwH - dwHeight) * dwStride);
     m_nHeight = h;
 }
 FX_BOOL CJBig2_Image::composeTo_opt2(CJBig2_Image *pDst, FX_INT32 x, FX_INT32 y, JBig2ComposeOp op)
 {
     FX_INT32 xs0 = 0, ys0  = 0, xs1  = 0, ys1   = 0, xd0    = 0, yd0          = 0, xd1      = 0, 
              yd1 = 0, xx   = 0, yy   = 0, w     = 0, h      = 0, middleDwords = 0, lineLeft = 0;
 
     FX_DWORD s1  = 0, d1   = 0, d2   = 0, shift = 0, shift1 = 0, shift2       = 0, 
              tmp = 0, tmp1 = 0, tmp2 = 0, maskL = 0, maskR  = 0, maskM        = 0;
 
@@ skipping 822 matching lines @@
                     dp[2] = (FX_BYTE)(tmp >> 8);
                     dp[3] = (FX_BYTE)tmp;
                 }
                 lineSrc += m_nStride;
                 lineDst += pDst->m_nStride;
             }
         }
     }
     return 1;
 }