Fix an integer overflow in CStretchEngine constructor
When the source bitmap's width and height are large,
the multiplication could easily overflow a signed integer.
Change to use 'long long' type for calculation to avoid that.
BUG=chromium:635663
Review-Url: https://codereview.chromium.org/2240723002
diff --git a/BUILD.gn b/BUILD.gn
index 8d9dd81..a4a3e8d 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -1572,6 +1572,7 @@
"core/fxcrt/fx_bidi_unittest.cpp",
"core/fxcrt/fx_extension_unittest.cpp",
"core/fxcrt/fx_system_unittest.cpp",
+ "core/fxge/dib/fx_dib_engine_unittest.cpp",
"fpdfsdk/fpdfdoc_unittest.cpp",
"fpdfsdk/fpdfeditimg_unittest.cpp",
]
diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp
index 520148f..88b0d4b 100644
--- a/core/fxge/dib/fx_dib_engine.cpp
+++ b/core/fxge/dib/fx_dib_engine.cpp
@@ -306,8 +306,8 @@
FX_BOOL bInterpol =
flags & FXDIB_INTERPOL || flags & FXDIB_BICUBIC_INTERPOL;
if (!bInterpol && FXSYS_abs(dest_width) != 0 &&
- FXSYS_abs(dest_height) <
- m_SrcWidth * m_SrcHeight * 8 / FXSYS_abs(dest_width)) {
+ FXSYS_abs(dest_height) / 8 < static_cast<long long>(m_SrcWidth) *
+ m_SrcHeight / FXSYS_abs(dest_width)) {
flags = FXDIB_INTERPOL;
}
m_Flags = flags;
diff --git a/core/fxge/dib/fx_dib_engine_unittest.cpp b/core/fxge/dib/fx_dib_engine_unittest.cpp
new file mode 100644
index 0000000..d185adf
--- /dev/null
+++ b/core/fxge/dib/fx_dib_engine_unittest.cpp
@@ -0,0 +1,30 @@
+// Copyright 2016 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <memory>
+
+#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h"
+#include "core/fpdfapi/fpdf_parser/include/cpdf_number.h"
+#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h"
+#include "core/fpdfapi/fpdf_render/render_int.h"
+#include "core/fxcrt/include/fx_memory.h"
+#include "core/fxge/dib/dib_int.h"
+#include "core/fxge/include/fx_dib.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+TEST(CStretchEngine, OverflowInCtor) {
+ FX_RECT clip_rect;
+ std::unique_ptr<CPDF_Dictionary, ReleaseDeleter<CPDF_Dictionary>> dict_obj(
+ new CPDF_Dictionary);
+ dict_obj->SetAt("Width", new CPDF_Number(71000));
+ dict_obj->SetAt("Height", new CPDF_Number(12500));
+ std::unique_ptr<CPDF_Stream, ReleaseDeleter<CPDF_Stream>> stream(
+ new CPDF_Stream(nullptr, 0, dict_obj.release()));
+ CPDF_DIBSource dib_source;
+ dib_source.Load(nullptr, stream.get(), nullptr, nullptr, nullptr, nullptr,
+ false, 0, false);
+ CStretchEngine engine(nullptr, FXDIB_8bppRgb, 500, 500, clip_rect,
+ &dib_source, 0);
+ EXPECT_EQ(FXDIB_INTERPOL, engine.m_Flags);
+}
diff --git a/pdfium.gyp b/pdfium.gyp
index 1cc8758..f04ce42 100644
--- a/pdfium.gyp
+++ b/pdfium.gyp
@@ -949,6 +949,7 @@
'core/fxcrt/fx_bidi_unittest.cpp',
'core/fxcrt/fx_extension_unittest.cpp',
'core/fxcrt/fx_system_unittest.cpp',
+ 'core/fxge/dib/fx_dib_engine_unittest.cpp',
'fpdfsdk/fpdfdoc_unittest.cpp',
'fpdfsdk/fpdfeditimg_unittest.cpp',
'testing/fx_string_testhelpers.h',
