Sanitize values in chrome_pdf::PDFiumPage::PageToScreen().

pdf/pdfium/pdfium_page.cc

Index: pdf/pdfium/pdfium_page.cc
diff --git a/pdf/pdfium/pdfium_page.cc b/pdf/pdfium/pdfium_page.cc
index bd45861abe2060e4db44f7aef5a33720bb06df40..c7e5d9ec7130aa2c05610f1aa52b8b7f66756dac 100644
--- a/pdf/pdfium/pdfium_page.cc
+++ b/pdf/pdfium/pdfium_page.cc
@@ -12,6 +12,7 @@
 #include <utility>
 
 #include "base/logging.h"
+#include "base/numerics/safe_math.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
@@ -461,21 +462,41 @@ pp::Rect PDFiumPage::PageToScreen(const pp::Point& offset,
   if (!available_)
     return pp::Rect();
 
-  int new_left, new_top, new_right, new_bottom;
-  FPDF_PageToDevice(
-      page_,
-      static_cast<int>((rect_.x() - offset.x()) * zoom),
-      static_cast<int>((rect_.y() - offset.y()) * zoom),
-      static_cast<int>(ceil(rect_.width() * zoom)),
-      static_cast<int>(ceil(rect_.height() * zoom)),
-      rotation, left, top, &new_left, &new_top);
-  FPDF_PageToDevice(
-      page_,
-      static_cast<int>((rect_.x() - offset.x()) * zoom),
-      static_cast<int>((rect_.y() - offset.y()) * zoom),
-      static_cast<int>(ceil(rect_.width() * zoom)),
-      static_cast<int>(ceil(rect_.height() * zoom)),
-      rotation, right, bottom, &new_right, &new_bottom);
+  base::CheckedNumeric<double> start_x = rect_.x();

[Tom Sepez, 2016/09/27 15:57:17]

can we get away with just using doubles here?  I'm not sure how they would
overflow.

[Lei Zhang, 2016/09/27 16:44:40]

Can multiplying by |zoom| overflow? Am I being too paranoid?

[Tom Sepez, 2016/09/27 16:46:42]

Probably can, but I wouldn't worry about it.  There are too many places where
doubles would overflow throughout the code ...

[Lei Zhang, 2016/09/27 17:50:44]

Done.

+  start_x -= offset.x();
+  start_x *= zoom;
+  base::CheckedNumeric<double> start_y = rect_.y();
+  start_y -= offset.y();
+  start_y *= zoom;
+  base::CheckedNumeric<double> size_x = rect_.width();
+  size_x *= zoom;
+  base::CheckedNumeric<double> size_y = rect_.height();
+  size_y *= zoom;
+  if (!start_x.IsValid() || !start_y.IsValid() || !size_x.IsValid() ||
+      !size_y.IsValid()) {
+    return pp::Rect();
+  }
+  if (!base::IsValueInRangeForNumericType<int>(start_x.ValueOrDie()) ||
+      !base::IsValueInRangeForNumericType<int>(start_y.ValueOrDie()) ||
+      !base::IsValueInRangeForNumericType<int>(size_x.ValueOrDie()) ||
+      !base::IsValueInRangeForNumericType<int>(size_y.ValueOrDie())) {
+    return pp::Rect();
+  }
+
+  int new_left;
+  int new_top;
+  int new_right;
+  int new_bottom;
+  FPDF_PageToDevice(page_, static_cast<int>(start_x.ValueOrDie()),
+                    static_cast<int>(start_y.ValueOrDie()),
+                    static_cast<int>(ceil(size_x.ValueOrDie())),
+                    static_cast<int>(ceil(size_y.ValueOrDie())), rotation, left,
+                    top, &new_left, &new_top);
+  FPDF_PageToDevice(page_, static_cast<int>(start_x.ValueOrDie()),
+                    static_cast<int>(start_y.ValueOrDie()),
+                    static_cast<int>(ceil(size_x.ValueOrDie())),
+                    static_cast<int>(ceil(size_y.ValueOrDie())), rotation,
+                    right, bottom, &new_right, &new_bottom);
 
   // If the PDF is rotated, the horizontal/vertical coordinates could be
   // flipped.  See
@@ -485,8 +506,22 @@ pp::Rect PDFiumPage::PageToScreen(const pp::Point& offset,
   if (new_bottom < new_top)
     std::swap(new_bottom, new_top);
 
-  return pp::Rect(
-      new_left, new_top, new_right - new_left + 1, new_bottom - new_top + 1);
+  if (!base::IsValueInRangeForNumericType<int32_t>(new_left) ||

[Tom Sepez, 2016/09/27 15:57:17]

new_left is an int (presumably == int32_t for practical purposes), so this would
always be in range?

+      !base::IsValueInRangeForNumericType<int32_t>(new_top)) {
+    return pp::Rect();
+  }
+
+  base::CheckedNumeric<int32_t> new_size_x = new_right;
+  new_size_x -= new_left;
+  new_size_x += 1;
+  base::CheckedNumeric<int32_t> new_size_y = new_bottom;
+  new_size_y -= new_top;
+  new_size_y += 1;
+  if (!new_size_x.IsValid() || !new_size_y.IsValid())
+    return pp::Rect();
+
+  return pp::Rect(new_left, new_top, new_size_x.ValueOrDie(),
+                  new_size_y.ValueOrDie());
 }
 
 PDFiumPage::ScopedLoadCounter::ScopedLoadCounter(PDFiumPage* page)