Fix heap buffer overflow in CPDF_SampledFunc::v_Call

core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
  
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "../../../include/fpdfapi/fpdf_page.h"
 #include "../../../include/fpdfapi/fpdf_module.h"
+#include "../../../third_party/numerics/safe_conversions_impl.h"
 #include "pageint.h"
 #include <limits.h>
 class CPDF_PSEngine;
 typedef enum {PSOP_ADD, PSOP_SUB, PSOP_MUL, PSOP_DIV, PSOP_IDIV, PSOP_MOD,
               PSOP_NEG, PSOP_ABS, PSOP_CEILING, PSOP_FLOOR, PSOP_ROUND, PSOP_TRUNCATE,
               PSOP_SQRT, PSOP_SIN, PSOP_COS, PSOP_ATAN, PSOP_EXP, PSOP_LN, PSOP_LOG,
               PSOP_CVI, PSOP_CVR, PSOP_EQ, PSOP_NE, PSOP_GT, PSOP_GE, PSOP_LT, PSOP_LE,
               PSOP_AND, PSOP_OR, PSOP_XOR, PSOP_NOT, PSOP_BITSHIFT, PSOP_TRUE, PSOP_FALSE,
               PSOP_IF, PSOP_IFELSE, PSOP_POP, PSOP_EXCH, PSOP_DUP, PSOP_COPY,
               PSOP_INDEX, PSOP_ROLL, PSOP_PROC, PSOP_CONST
@@ skipping 527 matching lines @@
         encoded_input[i] = PDF_Interpolate(inputs[i], m_pDomains[i * 2], m_pDomains[i * 2 + 1],
                                            m_pEncodeInfo[i].encode_min, m_pEncodeInfo[i].encode_max);
         index[i] = (int)encoded_input[i];
         if (index[i] < 0) {
             index[i] = 0;
         } else if (index[i] > m_pEncodeInfo[i].sizes - 1) {
             index[i] = m_pEncodeInfo[i].sizes - 1;
         }
         pos += index[i] * blocksize[i];
     }
-    int bitpos = pos * m_nBitsPerSample * m_nOutputs;
+    FX_SAFE_INT32 bitpos = pos;
+    bitpos *= m_nBitsPerSample;
+    bitpos *= m_nOutputs;
+    if (!bitpos.IsValid()) {
+        return FALSE;
+    }
     FX_LPCBYTE pSampleData = m_pSampleStream->GetData();
     if (pSampleData == NULL) {
         return FALSE;
     }
+    FX_SAFE_INT32 bitpos1 = m_nOutputs - 1 > 0 ? m_nOutputs - 1 : 0; 
+    bitpos1 *= m_nBitsPerSample;
+    bitpos1 += bitpos.ValueOrDie();
+    if (!bitpos1.IsValid()) {
+        return FALSE;
+    }
     for (int j = 0; j < m_nOutputs; j ++) {
-        FX_DWORD sample = _GetBits32(pSampleData, bitpos + j * m_nBitsPerSample, m_nBitsPerSample);
+        FX_DWORD sample = _GetBits32(pSampleData, bitpos.ValueOrDie() + j * m_nBitsPerSample, m_nBitsPerSample);
         FX_FLOAT encoded = (FX_FLOAT)sample;
         for (int i = 0; i < m_nInputs; i ++) {
             if (index[i] == m_pEncodeInfo[i].sizes - 1) {
                 if (index[i] == 0) {
                     encoded = encoded_input[i] * (FX_FLOAT)sample;
                 }
             } else {
-                int bitpos1 = bitpos + m_nBitsPerSample * m_nOutputs * blocksize[i];
-                FX_DWORD sample1 = _GetBits32(pSampleData, bitpos1 + j * m_nBitsPerSample, m_nBitsPerSample);
+                FX_SAFE_INT32 bitpos2 = blocksize[i];
+                bitpos2 += 1;
+                bitpos2 *= m_nBitsPerSample; 
+                bitpos2 *= m_nOutputs;
+                bitpos2 += bitpos.ValueOrDie();
+                if (!bitpos2.IsValid()) {
+                    return FALSE;
+                }
+                FX_DWORD sample1 = _GetBits32(pSampleData, bitpos2.ValueOrDie(), m_nBitsPerSample);
                 encoded += (encoded_input[i] - index[i]) * ((FX_FLOAT)sample1 - (FX_FLOAT)sample);
             }
         }
         results[j] = PDF_Interpolate(encoded, 0, (FX_FLOAT)m_SampleMax,
                                      m_pDecodeInfo[j].decode_min, m_pDecodeInfo[j].decode_max);
     }
     return TRUE;
 }
 class CPDF_PSFunc : public CPDF_Function
 {
@@ skipping 294 matching lines @@
         for (int i = 0; i < m_nOutputs; i ++) {
             if (results[i] < m_pRanges[i * 2]) {
                 results[i] = m_pRanges[i * 2];
             } else if (results[i] > m_pRanges[i * 2 + 1]) {
                 results[i] = m_pRanges[i * 2 + 1];
             }
         }
     }
     return TRUE;
 }