Assert a cast inside cpdf_imagecacheentry.cpp is safe. CFX_DIBBase::GetHeight() should always return a value that can safely cast to uint32_t. Add an ASSERT() for this. Change-Id: Ie541cfcf81f7fedb178d03f408dedb2b0446cc34 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/65614 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>

commit: 37a56ac4b1597569dd727999cd2f26879eacdb1f [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Tue Jan 28 20:15:53 2020 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Tue Jan 28 20:15:53 2020 +0000
tree: 951e1a887623601fb03239b9e7b9c68c33ec3d38
parent: a9a704ed821f7038e56da259166dfe17d95a1cf3 [diff]
diff --git a/core/fpdfapi/render/cpdf_imagecacheentry.cpp b/core/fpdfapi/render/cpdf_imagecacheentry.cpp
index 98896db..969c505 100644
--- a/core/fpdfapi/render/cpdf_imagecacheentry.cpp
+++ b/core/fpdfapi/render/cpdf_imagecacheentry.cpp

@@ -33,10 +33,13 @@
 
 static uint32_t FPDF_ImageCache_EstimateImageSize(
     const RetainPtr<CFX_DIBBase>& pDIB) {
-  return pDIB && pDIB->GetBuffer()
-             ? (uint32_t)pDIB->GetHeight() * pDIB->GetPitch() +
-                   pDIB->GetPaletteSize() * 4
-             : 0;
+  if (!pDIB || !pDIB->GetBuffer())
+    return 0;
+
+  int height = pDIB->GetHeight();
+  ASSERT(pdfium::base::IsValueInRangeForNumericType<uint32_t>(height));
+  return static_cast<uint32_t>(height) * pDIB->GetPitch() +
+         pDIB->GetPaletteSize() * 4;
 }
 
 RetainPtr<CFX_DIBBase> CPDF_ImageCacheEntry::DetachBitmap() {
commit	37a56ac4b1597569dd727999cd2f26879eacdb1f	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Tue Jan 28 20:15:53 2020 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Tue Jan 28 20:15:53 2020 +0000
tree	951e1a887623601fb03239b9e7b9c68c33ec3d38
parent	a9a704ed821f7038e56da259166dfe17d95a1cf3 [diff]