commit e6ca7c2d7d45bd59d53c3c6f9952e2001cf81890
author Henrique Nakashima <hnakashima@chromium.org> Fri Jun 22 17:10:36 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Fri Jun 22 17:10:36 2018 +0000
tree 8b2db7c1a6a7c8bce469c26795d132d7519e8c37
parent 0a49103801e322656eeacf8764cc0cb557059cea

Fix overflow in CFX_RenderDevice::DrawFillStrokePath().

Bug: chromium:853430
Change-Id: I1c42de1e3db10dfb6399cd8abdd13c56addc8827
Reviewed-on: https://pdfium-review.googlesource.com/35850
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>

core/fxge/cfx_renderdevice.cpp

diff --git a/core/fxge/cfx_renderdevice.cpp b/core/fxge/cfx_renderdevice.cpp
index c63f2f5..16d7237 100644
--- a/core/fxge/cfx_renderdevice.cpp
+++ b/core/fxge/cfx_renderdevice.cpp
@@ -632,21 +632,24 @@
     bbox = pObject2Device->TransformRect(bbox);
 
   FX_RECT rect = bbox.GetOuterRect();
+  if (!rect.Valid())
+    return false;
+
   auto bitmap = pdfium::MakeRetain<CFX_DIBitmap>();
-  auto Backdrop = pdfium::MakeRetain<CFX_DIBitmap>();
+  auto backdrop = pdfium::MakeRetain<CFX_DIBitmap>();
   if (!CreateCompatibleBitmap(bitmap, rect.Width(), rect.Height()))
     return false;
 
   if (bitmap->HasAlpha()) {
     bitmap->Clear(0);
-    Backdrop->Copy(bitmap);
+    backdrop->Copy(bitmap);
   } else {
     if (!m_pDeviceDriver->GetDIBits(bitmap, rect.left, rect.top))
       return false;
-    Backdrop->Copy(bitmap);
+    backdrop->Copy(bitmap);
   }
   CFX_DefaultRenderDevice bitmap_device;
-  bitmap_device.Attach(bitmap, false, Backdrop, true);
+  bitmap_device.Attach(bitmap, false, backdrop, true);
 
   CFX_Matrix matrix;
   if (pObject2Device)