Assert a cast inside cpdf_imagecacheentry.cpp is safe.
CFX_DIBBase::GetHeight() should always return a value that can safely
cast to uint32_t. Add an ASSERT() for this.
Change-Id: Ie541cfcf81f7fedb178d03f408dedb2b0446cc34
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/65614
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/render/cpdf_imagecacheentry.cpp b/core/fpdfapi/render/cpdf_imagecacheentry.cpp
index 98896db..969c505 100644
--- a/core/fpdfapi/render/cpdf_imagecacheentry.cpp
+++ b/core/fpdfapi/render/cpdf_imagecacheentry.cpp
@@ -33,10 +33,13 @@
static uint32_t FPDF_ImageCache_EstimateImageSize(
const RetainPtr<CFX_DIBBase>& pDIB) {
- return pDIB && pDIB->GetBuffer()
- ? (uint32_t)pDIB->GetHeight() * pDIB->GetPitch() +
- pDIB->GetPaletteSize() * 4
- : 0;
+ if (!pDIB || !pDIB->GetBuffer())
+ return 0;
+
+ int height = pDIB->GetHeight();
+ ASSERT(pdfium::base::IsValueInRangeForNumericType<uint32_t>(height));
+ return static_cast<uint32_t>(height) * pDIB->GetPitch() +
+ pDIB->GetPaletteSize() * 4;
}
RetainPtr<CFX_DIBBase> CPDF_ImageCacheEntry::DetachBitmap() {