Google Git
Sign in
pdfium / pdfium / 782c5be63d0c4ba9a923a2b40241b003cdc25c18^! / .
commit782c5be63d0c4ba9a923a2b40241b003cdc25c18[log] [tgz]
authorLei Zhang <thestig@chromium.org>Tue Jun 04 16:51:38 2019 +0000
committerChromium commit bot <commit-bot@chromium.org>Tue Jun 04 16:51:38 2019 +0000
tree8c459d6765b9318aa03e8cf7887eb036754473d0
parent4e81c8a0cec862ac9a3261e86a01e8db23f2025f [diff]
Avoid undefined behavior in CFX_ImageStretcher.

Add an assertion that CFX_ImageStretcher receives a valid |m_ClipRect|
member. Fix a known case where it can receive an invalid one from
CFX_ImageTransformer.

BUG=chromium:964872

Change-Id: I20469a7812405fd1f95c7bce2a7ea9ffb6c27afc
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/55400
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/core/fxge/dib/cfx_imagestretcher.cpp b/core/fxge/dib/cfx_imagestretcher.cpp
index 802d118..3e97563 100644
--- a/core/fxge/dib/cfx_imagestretcher.cpp
+++ b/core/fxge/dib/cfx_imagestretcher.cpp

@@ -60,7 +60,9 @@
       m_ClipRect(bitmap_rect),
       m_DestFormat(GetStretchedFormat(*pSource)),
       m_DestBPP(GetBppFromFormat(m_DestFormat)),
-      m_LineIndex(0) {}
+      m_LineIndex(0) {
+  ASSERT(m_ClipRect.Valid());
+}
 
 CFX_ImageStretcher::~CFX_ImageStretcher() {}
 

diff --git a/core/fxge/dib/cfx_imagestretcher.h b/core/fxge/dib/cfx_imagestretcher.h
index 45544cb..1c2e425 100644
--- a/core/fxge/dib/cfx_imagestretcher.h
+++ b/core/fxge/dib/cfx_imagestretcher.h

@@ -51,7 +51,7 @@
   bool m_bFlipY;
   int m_DestWidth;
   int m_DestHeight;
-  FX_RECT m_ClipRect;
+  const FX_RECT m_ClipRect;
   const FXDIB_Format m_DestFormat;
   const int m_DestBPP;
   int m_LineIndex;

diff --git a/core/fxge/dib/cfx_imagetransformer.cpp b/core/fxge/dib/cfx_imagetransformer.cpp
index 9bbbaa6..8de9f0a 100644
--- a/core/fxge/dib/cfx_imagetransformer.cpp
+++ b/core/fxge/dib/cfx_imagetransformer.cpp

@@ -244,20 +244,29 @@
     m_Status = 2;
     return;
   }
+
   int stretch_width =
       static_cast<int>(ceil(FXSYS_sqrt2(m_matrix.a, m_matrix.b)));
   int stretch_height =
       static_cast<int>(ceil(FXSYS_sqrt2(m_matrix.c, m_matrix.d)));
-  CFX_Matrix stretch2dest(1.0f, 0.0f, 0.0f, -1.0f, 0.0f, stretch_height);
-  stretch2dest.Concat(
+  CFX_Matrix stretch_to_dest(1.0f, 0.0f, 0.0f, -1.0f, 0.0f, stretch_height);
+  stretch_to_dest.Concat(
       CFX_Matrix(m_matrix.a / stretch_width, m_matrix.b / stretch_width,
                  m_matrix.c / stretch_height, m_matrix.d / stretch_height,
                  m_matrix.e, m_matrix.f));
-  m_dest2stretch = stretch2dest.GetInverse();
+  CFX_Matrix dest_to_strech = stretch_to_dest.GetInverse();
 
-  m_StretchClip =
-      m_dest2stretch.TransformRect(CFX_FloatRect(result_clip)).GetOuterRect();
-  m_StretchClip.Intersect(0, 0, stretch_width, stretch_height);
+  FX_RECT stretch_clip =
+      dest_to_strech.TransformRect(CFX_FloatRect(result_clip)).GetOuterRect();
+  if (!stretch_clip.Valid())
+    return;
+
+  stretch_clip.Intersect(0, 0, stretch_width, stretch_height);
+  if (!stretch_clip.Valid())
+    return;
+
+  m_dest2stretch = dest_to_strech;
+  m_StretchClip = stretch_clip;
   m_Stretcher = pdfium::MakeUnique<CFX_ImageStretcher>(
       &m_Storer, m_pSrc, stretch_width, stretch_height, m_StretchClip,
       m_ResampleOptions);