Fix integer overflow in CFX_DIBBase::GetOverlapRect().
BUG=chromium:914983
Change-Id: I2c248c7af1c19b419925c87341491a2b98beea66
Reviewed-on: https://pdfium-review.googlesource.com/c/47271
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fxge/dib/cfx_dibbase.cpp b/core/fxge/dib/cfx_dibbase.cpp
index 2338cac..6f490c6 100644
--- a/core/fxge/dib/cfx_dibbase.cpp
+++ b/core/fxge/dib/cfx_dibbase.cpp
@@ -887,8 +887,19 @@
dest_rect.Intersect(pClipRgn->GetBox());
dest_left = dest_rect.left;
dest_top = dest_rect.top;
- src_left = dest_left - x_offset;
- src_top = dest_top - y_offset;
+
+ pdfium::base::CheckedNumeric<int> safe_src_left = dest_left;
+ safe_src_left -= x_offset;
+ if (!safe_src_left.IsValid())
+ return false;
+ src_left = safe_src_left.ValueOrDie();
+
+ pdfium::base::CheckedNumeric<int> safe_src_top = dest_top;
+ safe_src_top -= y_offset;
+ if (!safe_src_top.IsValid())
+ return false;
+ src_top = safe_src_top.ValueOrDie();
+
width = dest_rect.right - dest_rect.left;
height = dest_rect.bottom - dest_rect.top;
return width != 0 && height != 0;