commit f04b7f1c438bf9f9e41a1925c6bcaa378c082ee1
author Nicolas Pena <npm@chromium.org> Mon Jan 09 13:39:05 2017 -0500
committer Chromium commit bot <commit-bot@chromium.org> Mon Jan 09 20:41:20 2017 +0000
tree 07161be4e5e367f6a623d8b187fc416269dc338a
parent c589fdc5e4e996dd6d2502f7267414c471e5fd6d

Check validity of width and height in CCodec_TiffContext::LoadFrameInfo

We are using pdfium::base::checked_cast to get the width and height,
but we may overflow and abort. Therefore, we should instead early
return if the obtained width and height are not valid int32_t's.

BUG=655056

Change-Id: Ic0c6b88a16dc3d547fe82736bb14ed3122cd356a
Reviewed-on: https://pdfium-review.googlesource.com/2160
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

core/fxcodec/codec/fx_codec_tiff.cpp

diff --git a/core/fxcodec/codec/fx_codec_tiff.cpp b/core/fxcodec/codec/fx_codec_tiff.cpp
index be9c7d4..cf38d71 100644
--- a/core/fxcodec/codec/fx_codec_tiff.cpp
+++ b/core/fxcodec/codec/fx_codec_tiff.cpp
@@ -267,8 +267,13 @@
     Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MAKE, pAttribute);
     Tiff_Exif_GetStringInfo(m_tif_ctx, TIFFTAG_MODEL, pAttribute);
   }
-  *width = pdfium::base::checked_cast<int32_t>(tif_width);
-  *height = pdfium::base::checked_cast<int32_t>(tif_height);
+  pdfium::base::CheckedNumeric<int32_t> checked_width = tif_width;
+  pdfium::base::CheckedNumeric<int32_t> checked_height = tif_height;
+  if (!checked_width.IsValid() || !checked_height.IsValid())
+    return false;
+
+  *width = checked_width.ValueOrDie();
+  *height = checked_height.ValueOrDie();
   *comps = tif_comps;
   *bpc = tif_bpc;
   if (tif_rps > tif_height) {