commit 9df50a50b1f0d13b3a066384e23dea3711b2c31c
author Lei Zhang <thestig@chromium.org> Wed Nov 30 02:09:51 2022 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Nov 30 02:09:51 2022 +0000
tree 9347df057f163dad500968016e1c61145c90cfff
parent a4e946ee8b58a0b5eb3e9762a33cffbf14e9c56c

Avoid integer overflows in CFX_BitmapComposer::ComposeScanlineV().

Bug: chromium:1386121
Change-Id: I7870dd74a369b9859341581ce0d5304e88f3273b
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/101750
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

core/fxge/dib/cfx_bitmapcomposer.cpp

diff --git a/core/fxge/dib/cfx_bitmapcomposer.cpp b/core/fxge/dib/cfx_bitmapcomposer.cpp
index 1ddd1bc..6cd3051 100644
--- a/core/fxge/dib/cfx_bitmapcomposer.cpp
+++ b/core/fxge/dib/cfx_bitmapcomposer.cpp
@@ -8,6 +8,7 @@
 
 #include <string.h>
 
+#include "core/fxcrt/fx_2d_size.h"
 #include "core/fxcrt/fx_coordinates.h"
 #include "core/fxcrt/fx_safe_types.h"
 #include "core/fxcrt/span_util.h"
@@ -145,18 +146,24 @@
   int dest_x = m_DestLeft + (m_bFlipX ? (m_DestWidth - line - 1) : line);
   pdfium::span<uint8_t> dest_span = m_pBitmap->GetBuffer();
   if (!dest_span.empty()) {
-    dest_span = dest_span.subspan(dest_x * Bpp + m_DestTop * dest_pitch);
-    if (m_bFlipY)
-      dest_span = dest_span.subspan(dest_pitch * (m_DestHeight - 1));
+    const size_t dest_x_offset = Fx2DSizeOrDie(dest_x, Bpp);
+    const size_t dest_y_offset = Fx2DSizeOrDie(m_DestTop, dest_pitch);
+    dest_span = dest_span.subspan(dest_y_offset).subspan(dest_x_offset);
+    if (m_bFlipY) {
+      const size_t dest_flip_offset =
+          Fx2DSizeOrDie(dest_pitch, m_DestHeight - 1);
+      dest_span = dest_span.subspan(dest_flip_offset);
+    }
   }
   uint8_t* dest_buf = dest_span.data();
   pdfium::span<uint8_t> dest_alpha_span = m_pBitmap->GetAlphaMaskBuffer();
   if (!dest_alpha_span.empty()) {
-    dest_alpha_span =
-        dest_alpha_span.subspan(dest_x + m_DestTop * dest_alpha_pitch);
+    size_t dest_y_offset = Fx2DSizeOrDie(m_DestTop, dest_alpha_pitch);
+    dest_alpha_span = dest_alpha_span.subspan(dest_x).subspan(dest_y_offset);
     if (m_bFlipY) {
-      dest_alpha_span =
-          dest_alpha_span.subspan(dest_alpha_pitch * (m_DestHeight - 1));
+      size_t dest_flip_offset =
+          Fx2DSizeOrDie(dest_alpha_pitch, m_DestHeight - 1);
+      dest_alpha_span = dest_alpha_span.subspan(dest_flip_offset);
     }
   }
   uint8_t* dest_alpha_buf = dest_alpha_span.data();
@@ -190,7 +197,7 @@
             .subspan(dest_x - m_pClipRgn->GetBox().left)
             .data();
     if (m_bFlipY) {
-      src_clip += clip_pitch * (m_DestHeight - 1);
+      src_clip += Fx2DSizeOrDie(clip_pitch, m_DestHeight - 1);
       clip_pitch = -clip_pitch;
     }
     for (int i = 0; i < m_DestHeight; ++i) {