Check path point count overflow in DrawThisAppearance
authorBo Xu <bo_xu@foxitsoftware.com>
Mon, 18 Aug 2014 18:33:03 +0000 (11:33 -0700)
committerBo Xu <bo_xu@foxitsoftware.com>
Mon, 18 Aug 2014 18:33:03 +0000 (11:33 -0700)
BUG=387969
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/461343003

fpdfsdk/src/pdfwindow/PWL_Edit.cpp

index df59c2c..dfdbf64 100644 (file)
@@ -411,8 +411,11 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
        CFX_ByteTextBuf sLine;
 
        FX_INT32 nCharArray = m_pEdit->GetCharArray();
+       FX_SAFE_INT32 nCharArraySafe = nCharArray;
+       nCharArraySafe -= 1;
+       nCharArraySafe *= 2;
 
-       if (nCharArray > 0)
+       if (nCharArray > 0 && nCharArraySafe.IsValid())
        {
                switch (GetBorderStyle())
                {
@@ -422,7 +425,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
                                gsd.m_LineWidth = (FX_FLOAT)GetBorderWidth();
 
                                CFX_PathData path;
-                               path.SetPointCount((nCharArray-1)*2);
+                               if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) {
+                                       return;
+                               }
                                
                                for (FX_INT32 i=0; i<nCharArray-1; i++)
                                {                                       
@@ -447,7 +452,9 @@ void CPWL_Edit::DrawThisAppearance(CFX_RenderDevice* pDevice, CPDF_Matrix* pUser
                                gsd.m_DashPhase = (FX_FLOAT)GetBorderDash().nPhase;
 
                                CFX_PathData path;
-                               path.SetPointCount((nCharArray-1)*2);
+                               if (!path.SetPointCount(nCharArraySafe.ValueOrDie())) {
+                                       return;
+                               }
                                
                                for (FX_INT32 i=0; i<nCharArray-1; i++)
                                {