Fix heap buffer overflow in CPDF_SampledFunc::v_Call

Fix heap buffer overflow in CPDF_SampledFunc::v_Call

This issue was caused by integer overflow in CPDF_SampledFunc::v_Call.
The root cause of this issue is that the content in the test pdf file
was damaged. The solution is to check whether an integer is overflow
before using it.

BUG=452455
R=tsepez@chromium.org

Committed: https://pdfium.googlesource.com/pdfium/+/7dc63e6c53add27084929ffe52436b7bb6667a80

[jun_fang, 2015-01-30 04:46:50]

jun_fang@foxitsoftware.com changed reviewers:
+ kai_jing@foxitsoftware.com, tsepez@chromium.org

[jun_fang, 2015-01-30 04:46:51]

Hi Tom, please review it. Thanks!

[Tom Sepez, 2015-01-30 17:32:24]

OK, the code is fine, but we should be able to minimize the original input file
to get an automatable test case under our new test framework. Ideally, that
should land at the same time to show that the change fixes the issue.

[Tom Sepez, 2015-01-30 17:40:41]

Curious that the caller doesn't check the result at or around
fpdf_page_func.cpp:875

[Tom Sepez, 2015-01-30 18:35:04]

On 2015/01/30 17:40:41, Tom Sepez wrote:
> Curious that the caller doesn't check the result at or around
> fpdf_page_func.cpp:875

Jun, go ahead and land this CL.  I'm close to having a test anyways that I'll
add later.

[jun_fang, 2015-01-30 18:39:28]

On 2015/01/30 17:32:24, Tom Sepez wrote:
> OK, the code is fine, but we should be able to minimize the original input
file
> to get an automatable test case under our new test framework. Ideally, that
> should land at the same time to show that the change fixes the issue.

The original input file is just around 9k. Do we need to take much effort to
minimize it?

[jun_fang, 2015-01-30 18:42:33]

On 2015/01/30 18:35:04, Tom Sepez wrote:
> On 2015/01/30 17:40:41, Tom Sepez wrote:
> > Curious that the caller doesn't check the result at or around
> > fpdf_page_func.cpp:875
> 
> Jun, go ahead and land this CL.  I'm close to having a test anyways that I'll
> add later.

Thanks. Does it look good to you?

[Tom Sepez, 2015-01-30 19:18:45]

lgtm

[jun_fang, 2015-01-31 18:12:58]

Committed patchset #1 (id:1) manually as
7dc63e6c53add27084929ffe52436b7bb6667a80 (presubmit successful).