Fix integer overflow in CPDF_RenderStatus::LoadSMask().
Bug: chromium:1386124
Change-Id: Ie6ff5b549570f64f73e4dd01fab738af5b937905
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/101670
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index d401286..2f20b29 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -53,6 +53,7 @@
#include "core/fpdfapi/render/cpdf_type3cache.h"
#include "core/fxcrt/autorestorer.h"
#include "core/fxcrt/data_vector.h"
+#include "core/fxcrt/fx_2d_size.h"
#include "core/fxcrt/fx_memory.h"
#include "core/fxcrt/fx_safe_types.h"
#include "core/fxcrt/fx_system.h"
@@ -1462,10 +1463,12 @@
std::iota(transfers.begin(), transfers.end(), 0);
}
if (bLuminosity) {
- int Bpp = bitmap->GetBPP() / 8;
+ const int Bpp = bitmap->GetBPP() / 8;
for (int row = 0; row < height; row++) {
- uint8_t* dest_pos = dest_buf.subspan(row * dest_pitch).data();
- const uint8_t* src_pos = src_buf.subspan(row * src_pitch).data();
+ const size_t dest_offset = Fx2DSizeOrDie(row, dest_pitch);
+ const size_t src_offset = Fx2DSizeOrDie(row, src_pitch);
+ uint8_t* dest_pos = dest_buf.subspan(dest_offset).data();
+ const uint8_t* src_pos = src_buf.subspan(src_offset).data();
for (int col = 0; col < width; col++) {
*dest_pos++ = transfers[FXRGB2GRAY(src_pos[2], src_pos[1], *src_pos)];
src_pos += Bpp;
