Google Git
Sign in
pdfium/pdfium.git/refs/heads/chromium/6801^!/.
commit
b72468fa26e7b7d385d786762d90993c26cdf5b4
[log]
author
Lei Zhang <thestig@chromium.org>
Thu Oct 24 21:41:02 2024 +0000
committer
Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu Oct 24 21:41:02 2024 +0000
tree
0ef403b9c7150b8fff2bcd2ddf70b563d3273e3e
parent
1c6f2ae03ac7c77cab798871d03c2aa31c359886 [diff]
Avoid integer overflow in DrawNormalTextHelper()

Use FX_SAFE_INT32 to check for integer overflows.

Bug: 374218982
Change-Id: I8723232e47d736687e2ccd4f801eddae9f543fc0
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/125450
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

diff --git a/core/fxge/cfx_renderdevice.cpp b/core/fxge/cfx_renderdevice.cpp
index 753d56a..4813d4b 100644
--- a/core/fxge/cfx_renderdevice.cpp
+++ b/core/fxge/cfx_renderdevice.cpp

@@ -220,9 +220,12 @@
   const bool has_alpha = bitmap->IsAlphaFormat();
   const int bytes_per_pixel = has_alpha ? 4 : bitmap->GetBPP() / 8;
   for (int row = 0; row < nrows; ++row) {
-    int dest_row = row + top;
-    if (dest_row < 0 || dest_row >= bitmap->GetHeight())
+    FX_SAFE_INT32 safe_dest_row = row;
+    safe_dest_row += top;
+    const int dest_row = safe_dest_row.ValueOrDefault(-1);
+    if (dest_row < 0 || dest_row >= bitmap->GetHeight()) {
       continue;
+    }
 
     const uint8_t* src_scan =
         pGlyph->GetScanline(row).subspan((start_col - left) * 3).data();