Strengthen bounds check in CWeightTable::Calc * part II This CL implemented a better version of CWeightTable::GetPixelWeightSize(), which will calculate the size of array PixelWeight.m_Weights correctly to prevent potential heap buffer overflow conditions. BUG=chromium:654183 R=ochang@chromium.org, thestig@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2404453003

commit: 05923132ae08d45fbe957219775a48c55ee57aef [log] [tgz]
author: stackexploit <stackexploit@gmail.com> Mon Oct 17 00:16:23 2016 -0700
committer: Commit bot <commit-bot@chromium.org> Mon Oct 17 00:16:23 2016 -0700
tree: 0be67d246a0733788cc3f5b31edb967ac3e73267
parent: 4dc112664e9d87c0d450ee3349a5091c624a3363 [diff]
diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp
index 389cf23..47dcf03 100644
--- a/core/fxge/dib/fx_dib_engine.cpp
+++ b/core/fxge/dib/fx_dib_engine.cpp

@@ -43,7 +43,7 @@
 }
 
 size_t CWeightTable::GetPixelWeightSize() const {
-  return m_dwWeightTablesSize / sizeof(int);
+  return m_ItemSize / sizeof(int) - 2;
 }
 
 bool CWeightTable::Calc(int dest_len,
commit	05923132ae08d45fbe957219775a48c55ee57aef	[log] [tgz]
author	stackexploit <stackexploit@gmail.com>	Mon Oct 17 00:16:23 2016 -0700
committer	Commit bot <commit-bot@chromium.org>	Mon Oct 17 00:16:23 2016 -0700
tree	0be67d246a0733788cc3f5b31edb967ac3e73267
parent	4dc112664e9d87c0d450ee3349a5091c624a3363 [diff]