Avoid OOB memcpy in chrome_pdf::CopyImage.

This is a re-work of palmer's patch at https://codereview.chromium.org/515023002/ which has more context, but comes down to stricter bounds checking. We also correct an arithmetic bug when copying the image behind a control that is positioned before the origin of the image. BUG=398384 Review URL: https://codereview.chromium.org/519873002 Cr-Commit-Position: refs/heads/master@{#293213}
chromium · Sep 3, 2014 · d734d19 · d734d19
1 parent 7e4346c
commit d734d19
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/pdf/control.cc b/pdf/control.cc
@@ -53,7 +53,7 @@ void Control::PaintMultipleRects(pp::ImageData* image_data,
     return;
 
   pp::Rect draw_rc = pp::Rect(image_data->size()).Intersect(rect());
-  pp::Rect ctrl_rc = pp::Rect(rect().point() - draw_rc.point(), draw_rc.size());
+  pp::Rect ctrl_rc = pp::Rect(draw_rc.point() - rect().point(), draw_rc.size());
   CopyImage(*image_data, draw_rc, &buffer, ctrl_rc, false);
 
   // Temporary move control to origin (0,0) and draw it into temp buffer.

diff --git a/pdf/draw_utils.cc b/pdf/draw_utils.cc
@@ -51,6 +51,12 @@ inline uint8 ProcessColor(uint8 src_color, uint8 dest_color, uint8 alpha) {
   return static_cast<uint8>((processed / 0xFF) & 0xFF);
 }
 
+inline bool ImageDataContainsRect(const pp::ImageData& image_data,
+                                  const pp::Rect& rect) {
+  return rect.width() >= 0 && rect.height() >= 0 &&
+      pp::Rect(image_data.size()).Contains(rect);
+}
+
 bool AlphaBlend(const pp::ImageData& src, const pp::Rect& src_rc,
                 pp::ImageData* dest, const pp::Point& dest_origin,
                 uint8 alpha_adjustment) {
@@ -145,9 +151,12 @@ void GradientFill(pp::Instance* instance,
 void CopyImage(const pp::ImageData& src, const pp::Rect& src_rc,
                pp::ImageData* dest, const pp::Rect& dest_rc,
                bool stretch) {
-  DCHECK(src_rc.width() <= dest_rc.width() &&
-         src_rc.height() <= dest_rc.height());
-  if (src_rc.IsEmpty())
+  if (src_rc.IsEmpty() || !ImageDataContainsRect(src, src_rc))
+    return;
+
+  pp::Rect stretched_rc(dest_rc.point(),
+                        stretch ? dest_rc.size() : src_rc.size());
+  if (stretched_rc.IsEmpty() || !ImageDataContainsRect(*dest, stretched_rc))
     return;
 
   const uint32_t* src_origin_pixel = src.GetAddr32(src_rc.point());