Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(477)

Unified Diff: core/src/fxcodec/jbig2/JBig2_Image.cpp

Issue 1241493002: Merge to M44: Integer overflow in CJBig2_Image::expand (Closed) Base URL: https://pdfium.googlesource.com/pdfium@2403
Patch Set: Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: core/src/fxcodec/jbig2/JBig2_Image.cpp
diff --git a/core/src/fxcodec/jbig2/JBig2_Image.cpp b/core/src/fxcodec/jbig2/JBig2_Image.cpp
index 03929b84c867d60ad02be257df78f304d4dcef42..8e27bca80cc6824fdad6ccd32dff358f4b6a5b3b 100644
--- a/core/src/fxcodec/jbig2/JBig2_Image.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Image.cpp
@@ -767,18 +767,25 @@ CJBig2_Image *CJBig2_Image::subImage(FX_INT32 x, FX_INT32 y, FX_INT32 w, FX_INT3
}
void CJBig2_Image::expand(FX_INT32 h, FX_BOOL v)
{
- if (!m_pData) {
+ if (!m_pData || h <= m_nHeight) {
return;
}
- FX_SAFE_DWORD safeMemSize = pdfium::base::checked_cast<FX_DWORD>(h);
- safeMemSize *= pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+ FX_DWORD dwH = pdfium::base::checked_cast<FX_DWORD>(h);
+ FX_DWORD dwStride = pdfium::base::checked_cast<FX_DWORD>(m_nStride);
+ FX_DWORD dwHeight = pdfium::base::checked_cast<FX_DWORD>(m_nHeight);
+ FX_SAFE_DWORD safeMemSize = dwH;
+ safeMemSize *= dwStride;
if (!safeMemSize.IsValid()) {
return;
}
+ //The guaranteed reallocated memory is to be < 4GB (unsigned int).
m_pData = (FX_BYTE*)m_pModule->JBig2_Realloc(m_pData, safeMemSize.ValueOrDie());
- if(h > m_nHeight) {
- JBIG2_memset(m_pData + m_nHeight * m_nStride, v ? 0xff : 0, (h - m_nHeight)*m_nStride);
- }
+ //The result of dwHeight * dwStride doesn't overflow after the
+ //checking of safeMemSize.
+ //The same as the result of (dwH - dwHeight) * dwStride) because
+ //dwH - dwHeight is always less than dwH(h) which is checked in
+ //the calculation of dwH * dwStride.
+ JBIG2_memset(m_pData + dwHeight * dwStride, v ? 0xff : 0, (dwH - dwHeight) * dwStride);
m_nHeight = h;
}
FX_BOOL CJBig2_Image::composeTo_opt2(CJBig2_Image *pDst, FX_INT32 x, FX_INT32 y, JBig2ComposeOp op)
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698