third_party/WebKit/Source/core/paint/ObjectPainter.cpp - Issue 2404583002: Fix integer overflow in ObjectPainter and divide by zero in Color.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/paint/ObjectPainter.cpp

Issue 2404583002: Fix integer overflow in ObjectPainter and divide by zero in Color. (Closed)

Patch Set: Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/Source/core/paint/ObjectPainter.cpp

diff --git a/third_party/WebKit/Source/core/paint/ObjectPainter.cpp b/third_party/WebKit/Source/core/paint/ObjectPainter.cpp

index 7de53eb78014465b96b3cf101223b4e8dad157e6..6d27fcee9eab7ea33a8a3fc4ed59b483ba0a61e3 100644

--- a/third_party/WebKit/Source/core/paint/ObjectPainter.cpp

+++ b/third_party/WebKit/Source/core/paint/ObjectPainter.cpp

@@ -215,6 +215,20 @@ void fillQuad(GraphicsContext& context,

context.drawPath(path, paint);

}

+int safeSubtract(int a, int b) {

pdr. 2016/10/07 22:14:35 I think you can use the existing code in Saturated

wkorman 2016/10/07 23:43:19 Done.

+ if (((b < 0) && (a > std::numeric_limits<int>::max() + b)) ||

+ ((b > 0) && (a < std::numeric_limits<int>::min() + b)))

+ return a;

+ return a - b;

+int safeAdd(int a, int b) {

+ if (((b > 0) && (a > std::numeric_limits<int>::max() - b)) ||

+ ((b < 0) && (a < std::numeric_limits<int>::min() - b)))

+ return a;

+ return a + b;

} // namespace

void ObjectPainter::paintOutline(const PaintInfo& paintInfo,

@@ -350,11 +364,11 @@ void ObjectPainter::drawLineForBoxSide(GraphicsContext& graphicsContext,

int thickness;

int length;

if (side == BSTop || side == BSBottom) {

- thickness = y2 - y1;

- length = x2 - x1;

+ thickness = safeSubtract(y2, y1);

+ length = safeSubtract(x2, x1);

} else {

- thickness = x2 - x1;

- length = y2 - y1;

+ thickness = safeSubtract(x2, x1);

+ length = safeSubtract(y2, y1);

}

// We would like this check to be an ASSERT as we don't want to draw empty

@@ -592,12 +606,13 @@ void ObjectPainter::drawRidgeOrGrooveBoxSide(GraphicsContext& graphicsContext,

case BSBottom:

drawLineForBoxSide(graphicsContext, x1 + std::max(adjacentWidth1, 0) / 2,

y1, x2 - std::max(adjacentWidth2, 0) / 2,

- (y1 + y2 + 1) / 2, side, color, s2, adjacent1BigHalf,

- adjacent2BigHalf, antialias);

+ safeAdd(y1, safeAdd(y2, 1)) / 2, side, color, s2,

+ adjacent1BigHalf, adjacent2BigHalf, antialias);

drawLineForBoxSide(

graphicsContext, x1 + std::max(-adjacentWidth1 + 1, 0) / 2,

- (y1 + y2 + 1) / 2, x2 - std::max(-adjacentWidth2 + 1, 0) / 2, y2,

- side, color, s1, adjacentWidth1 / 2, adjacentWidth2 / 2, antialias);

+ safeAdd(y1, safeAdd(y2, 1)) / 2,

+ x2 - std::max(-adjacentWidth2 + 1, 0) / 2, y2, side, color, s1,

+ adjacentWidth1 / 2, adjacentWidth2 / 2, antialias);

break;

case BSRight:

drawLineForBoxSide(

« no previous file with comments | « no previous file | third_party/WebKit/Source/platform/graphics/Color.cpp » ('j') | no next file with comments »