Strengthen bounds check in CWeightTable::Calc.
The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize),
but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)|
in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr|
in function CWeightTable::GetValueFromPixelWeight() were insufficient.
This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights.
BUG=chromium:619398
R=ochang@chromium.org, thestig@chromium.org
Review-Url: https://codereview.chromium.org/2322903002
diff --git a/core/fxge/dib/dib_int.h b/core/fxge/dib/dib_int.h
index aa4a792..31ccc8d 100644
--- a/core/fxge/dib/dib_int.h
+++ b/core/fxge/dib/dib_int.h
@@ -55,6 +55,7 @@
int flags);
PixelWeight* GetPixelWeight(int pixel) const;
int* GetValueFromPixelWeight(PixelWeight* pWeight, int index) const;
+ size_t GetPixelWeightSize() const;
private:
int m_DestMin;
diff --git a/core/fxge/dib/fx_dib_engine.cpp b/core/fxge/dib/fx_dib_engine.cpp
index 88b0d4b..7ba031e 100644
--- a/core/fxge/dib/fx_dib_engine.cpp
+++ b/core/fxge/dib/fx_dib_engine.cpp
@@ -41,6 +41,10 @@
FX_Free(m_pWeightTables);
}
+size_t CWeightTable::GetPixelWeightSize() const {
+ return m_dwWeightTablesSize / sizeof(int);
+}
+
bool CWeightTable::Calc(int dest_len,
int dest_min,
int dest_max,
@@ -235,7 +239,7 @@
break;
}
size_t idx = j - start_i;
- if (idx >= m_dwWeightTablesSize)
+ if (idx >= GetPixelWeightSize())
return false;
pixel_weights.m_Weights[idx] = FXSYS_round((FX_FLOAT)(weight * 65536));
}
@@ -255,7 +259,7 @@
return nullptr;
size_t idx = index - pWeight->m_SrcStart;
- return idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr;
+ return idx < GetPixelWeightSize() ? &pWeight->m_Weights[idx] : nullptr;
}
CStretchEngine::CStretchEngine(IFX_ScanlineComposer* pDestBitmap,
