commit d5f3e3a18024afa0f6b05d8a7fe05086bdb377d8
author Lei Zhang <thestig@chromium.org> Tue Sep 10 18:59:01 2024 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Sep 10 18:59:01 2024 +0000
tree 0eada521e70bf6ebba9c6b2789ce556865d34f3e
parent 0c3ef74fdb0558431421911e486cfbef13d2f08a

Prevent some integer overflows in CFX_RenderDevice::DrawPath()

Use more safe math operations to prevent rectangle bounds from having
integer overflows.

Bug: 362832142
Change-Id: Iba43f96ef77886ca3dbc343e4b61db8150289512
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/124250
Reviewed-by: Tom Sepez <tsepez@google.com>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

core/fxge/cfx_renderdevice.cpp

diff --git a/core/fxge/cfx_renderdevice.cpp b/core/fxge/cfx_renderdevice.cpp
index 008d327..6d52dc2 100644
--- a/core/fxge/cfx_renderdevice.cpp
+++ b/core/fxge/cfx_renderdevice.cpp
@@ -628,35 +628,52 @@
       // Depending on the top/bottom, left/right values of the rect it's
       // possible to overflow the Width() and Height() calculations. Check that
       // the rect will have valid dimension before continuing.
-      if (!rect_i.Valid())
+      if (!rect_i.Valid()) {
         return false;
+      }
 
       int width = static_cast<int>(ceil(rect_f.right - rect_f.left));
       if (width < 1) {
         width = 1;
-        if (rect_i.left == rect_i.right)
-          ++rect_i.right;
+        if (rect_i.left == rect_i.right) {
+          if (!pdfium::CheckAdd(rect_i.right, 1).AssignIfValid(&rect_i.right)) {
+            return false;
+          }
+        }
       }
       int height = static_cast<int>(ceil(rect_f.top - rect_f.bottom));
       if (height < 1) {
         height = 1;
-        if (rect_i.bottom == rect_i.top)
-          ++rect_i.bottom;
+        if (rect_i.bottom == rect_i.top) {
+          if (!pdfium::CheckAdd(rect_i.bottom, 1)
+                   .AssignIfValid(&rect_i.bottom)) {
+            return false;
+          }
+        }
       }
       if (rect_i.Width() >= width + 1) {
         if (rect_f.left - static_cast<float>(rect_i.left) >
             static_cast<float>(rect_i.right) - rect_f.right) {
-          ++rect_i.left;
+          if (!pdfium::CheckAdd(rect_i.left, 1).AssignIfValid(&rect_i.left)) {
+            return false;
+          }
         } else {
-          --rect_i.right;
+          if (!pdfium::CheckSub(rect_i.right, 1).AssignIfValid(&rect_i.right)) {
+            return false;
+          }
         }
       }
       if (rect_i.Height() >= height + 1) {
         if (rect_f.top - static_cast<float>(rect_i.top) >
             static_cast<float>(rect_i.bottom) - rect_f.bottom) {
-          ++rect_i.top;
+          if (!pdfium::CheckAdd(rect_i.top, 1).AssignIfValid(&rect_i.top)) {
+            return false;
+          }
         } else {
-          --rect_i.bottom;
+          if (!pdfium::CheckSub(rect_i.bottom, 1)
+                   .AssignIfValid(&rect_i.bottom)) {
+            return false;
+          }
         }
       }
       if (FillRect(rect_i, fill_color)) {