commit 41ca949d4cedf9eb1ad3dca26c4ccba4cbf3609e
author Lei Zhang <thestig@chromium.org> Fri Dec 14 23:59:45 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Fri Dec 14 23:59:45 2018 +0000
tree 9f261770406b3d65318c06f944e09ddf4c16213a
parent bbf970755e8ee41320446d4879fcfe50330de30c

Fix integer overflow in CFX_DIBBase::GetOverlapRect().

BUG=chromium:914983

Change-Id: I2c248c7af1c19b419925c87341491a2b98beea66
Reviewed-on: https://pdfium-review.googlesource.com/c/47271
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

core/fxge/dib/cfx_dibbase.cpp

diff --git a/core/fxge/dib/cfx_dibbase.cpp b/core/fxge/dib/cfx_dibbase.cpp
index 2338cac..6f490c6 100644
--- a/core/fxge/dib/cfx_dibbase.cpp
+++ b/core/fxge/dib/cfx_dibbase.cpp
@@ -887,8 +887,19 @@
     dest_rect.Intersect(pClipRgn->GetBox());
   dest_left = dest_rect.left;
   dest_top = dest_rect.top;
-  src_left = dest_left - x_offset;
-  src_top = dest_top - y_offset;
+
+  pdfium::base::CheckedNumeric<int> safe_src_left = dest_left;
+  safe_src_left -= x_offset;
+  if (!safe_src_left.IsValid())
+    return false;
+  src_left = safe_src_left.ValueOrDie();
+
+  pdfium::base::CheckedNumeric<int> safe_src_top = dest_top;
+  safe_src_top -= y_offset;
+  if (!safe_src_top.IsValid())
+    return false;
+  src_top = safe_src_top.ValueOrDie();
+
   width = dest_rect.right - dest_rect.left;
   height = dest_rect.bottom - dest_rect.top;
   return width != 0 && height != 0;