Check path point count overflow in DrawThisAppearance

fpdfsdk/src/pdfwindow/PWL_Edit.cpp

Index: fpdfsdk/src/pdfwindow/PWL_Edit.cpp
diff --git a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
index df59c2ccc80d3ad85dfed462835eddad7fbb466f..e2b7a564404733055af3219c4ef6ad63e8319438 100644
--- a/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
+++ b/fpdfsdk/src/pdfwindow/PWL_Edit.cpp
@@ -411,8 +411,11 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
 	CFX_ByteTextBuf sLine;
 
 	FX_INT32 nCharArray = m_pEdit->GetCharArray();
+	FX_SAFE_INT32 nCharArrayDouble = nCharArray;

[Tom Sepez, 2014/08/18 18:15:47]

nit: Can we call this nCharArraySafe?  Double sounds too much like a
floating-point type, even though what you mean is that this value "doubles" the
other as a stand-in for it.

[Bo Xu, 2014/08/18 18:33:58]

Done.

+	nCharArrayDouble -= 1;
+	nCharArrayDouble *= 2;
 
-	if (nCharArray > 0)
+	if (nCharArray > 0 && nCharArrayDouble.IsValid())
 	{
 		switch (GetBorderStyle())
 		{
@@ -422,7 +425,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
 				gsd.m_LineWidth = (FX_FLOAT)GetBorderWidth();
 
 				CFX_PathData path;
-				path.SetPointCount((nCharArray-1)*2);
+				if (!path.SetPointCount(nCharArrayDouble.ValueOrDie())) {
+					return;
+				}
 				
 				for (FX_INT32 i=0; i<nCharArray-1; i++)
 				{					
@@ -447,7 +452,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
 				gsd.m_DashPhase = (FX_FLOAT)GetBorderDash().nPhase;
 
 				CFX_PathData path;
-				path.SetPointCount((nCharArray-1)*2);
+				if (!path.SetPointCount(nCharArrayDouble.ValueOrDie())) {
+					return;
+				}
 				
 				for (FX_INT32 i=0; i<nCharArray-1; i++)
 				{