Avoid float-cast-overflow in IccTransform::Translate
The float value is currently cast to an integer, then clamped. This can
cause an undefined behavior on overflow, that disappears if the order
is reversed.
This bug was found using an internal fuzz test.
Fixed: b/350782910
PiperOrigin-RevId: 650721211
Change-Id: Iec1359141636a24dbcf344a668a188c1a9d1ba03
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/121610
Auto-Submit: Ilaï Deutel <idtl@google.com>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fxcodec/icc/icc_transform.cpp b/core/fxcodec/icc/icc_transform.cpp
index fd1fb07..552ad4a 100644
--- a/core/fxcodec/icc/icc_transform.cpp
+++ b/core/fxcodec/icc/icc_transform.cpp
@@ -127,7 +127,7 @@
} else {
DataVector<uint8_t> inputs(std::max<size_t>(pSrcValues.size(), 16));
for (size_t i = 0; i < pSrcValues.size(); ++i) {
- inputs[i] = std::clamp(static_cast<int>(pSrcValues[i] * 255.0f), 0, 255);
+ inputs[i] = static_cast<int>(std::clamp(pSrcValues[i] * 255.0f, 0.0f, 255.0f));
}
cmsDoTransform(m_hTransform, inputs.data(), output, 1);
}