Avoid OOB memcpy in chrome_pdf::CopyImage.

This is a re-work of palmer's patch at https://codereview.chromium.org/515023002/ which has more context, but comes down to stricter bounds checking. We also correct an arithmetic bug when copying the image behind a control that is positioned before the origin of the image. BUG=398384 Review URL: https://codereview.chromium.org/519873002 Cr-Commit-Position: refs/heads/master@{#293213}

Avoid OOB memcpy in chrome_pdf::CopyImage.
This is a re-work of palmer's patch at https://codereview.chromium.org/515023002/ which has more context, but comes down to stricter bounds checking. We also correct an arithmetic bug when copying the image behind a control that is positioned before the origin of the image. BUG=398384 Review URL: https://codereview.chromium.org/519873002 Cr-Commit-Position: refs/heads/master@{#293213}
d734d197 · tsepez · Commit bot · 7e4346c9 · d734d197 · d734d197
Commit d734d197 authored Sep 03, 2014 by tsepez Committed by Commit bot Sep 03, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 4 deletions

pdf/control.cc pdf/control.cc +1 -1

pdf/draw_utils.cc pdf/draw_utils.cc +12 -3

No files found.
--- a/pdf/control.cc
+++ b/pdf/control.cc
@@ -53,7 +53,7 @@ void Control::PaintMultipleRects(pp::ImageData* image_data,
    return;

  pp::Rect draw_rc = pp::Rect(image_data->size()).Intersect(rect());
-  pp::Rect ctrl_rc = pp::Rect(rect().point() - draw_rc.point(), draw_rc.size());
+  pp::Rect ctrl_rc = pp::Rect(draw_rc.point() - rect().point(), draw_rc.size());
  CopyImage(*image_data, draw_rc, &buffer, ctrl_rc, false);

  // Temporary move control to origin (0,0) and draw it into temp buffer.

--- a/pdf/draw_utils.cc
+++ b/pdf/draw_utils.cc
@@ -51,6 +51,12 @@ inline uint8 ProcessColor(uint8 src_color, uint8 dest_color, uint8 alpha) {
  return static_cast<uint8>((processed / 0xFF) & 0xFF);
 }

+inline bool ImageDataContainsRect(const pp::ImageData& image_data,
+                                  const pp::Rect& rect) {
+  return rect.width() >= 0 && rect.height() >= 0 &&
+      pp::Rect(image_data.size()).Contains(rect);
+}
+
 bool AlphaBlend(const pp::ImageData& src, const pp::Rect& src_rc,
                pp::ImageData* dest, const pp::Point& dest_origin,
                uint8 alpha_adjustment) {
@@ -145,9 +151,12 @@ void GradientFill(pp::Instance* instance,
 void CopyImage(const pp::ImageData& src, const pp::Rect& src_rc,
               pp::ImageData* dest, const pp::Rect& dest_rc,
               bool stretch) {
-  DCHECK(src_rc.width() <= dest_rc.width() &&
-         src_rc.height() <= dest_rc.height());
-  if (src_rc.IsEmpty())
+  if (src_rc.IsEmpty() || !ImageDataContainsRect(src, src_rc))
+    return;
+
+  pp::Rect stretched_rc(dest_rc.point(),
+                        stretch ? dest_rc.size() : src_rc.size());
+  if (stretched_rc.IsEmpty() || !ImageDataContainsRect(*dest, stretched_rc))
    return;

  const uint32_t* src_origin_pixel = src.GetAddr32(src_rc.point());