Avoid integer overflow in DrawNormalTextHelper()
Use FX_SAFE_INT32 to check for integer overflows.
Bug: 374218982
Change-Id: I8723232e47d736687e2ccd4f801eddae9f543fc0
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/125450
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fxge/cfx_renderdevice.cpp b/core/fxge/cfx_renderdevice.cpp
index 753d56a..4813d4b 100644
--- a/core/fxge/cfx_renderdevice.cpp
+++ b/core/fxge/cfx_renderdevice.cpp
@@ -220,9 +220,12 @@
const bool has_alpha = bitmap->IsAlphaFormat();
const int bytes_per_pixel = has_alpha ? 4 : bitmap->GetBPP() / 8;
for (int row = 0; row < nrows; ++row) {
- int dest_row = row + top;
- if (dest_row < 0 || dest_row >= bitmap->GetHeight())
+ FX_SAFE_INT32 safe_dest_row = row;
+ safe_dest_row += top;
+ const int dest_row = safe_dest_row.ValueOrDefault(-1);
+ if (dest_row < 0 || dest_row >= bitmap->GetHeight()) {
continue;
+ }
const uint8_t* src_scan =
pGlyph->GetScanline(row).subspan((start_col - left) * 3).data();