Lei Zhang | aea4bca | 2019-08-27 21:53:35 +0000 | [diff] [blame^] | 1 | diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.cpp b/third_party/agg23/agg_rasterizer_scanline_aa.cpp |
| 2 | index 1fe9a0c32..9254d830d 100644 |
| 3 | --- a/third_party/agg23/agg_rasterizer_scanline_aa.cpp |
| 4 | +++ b/third_party/agg23/agg_rasterizer_scanline_aa.cpp |
| 5 | @@ -502,4 +502,16 @@ int rasterizer_scanline_aa::calculate_area(int cover, int shift) |
| 6 | result <<= shift; |
| 7 | return result; |
| 8 | } |
| 9 | +// static |
| 10 | +bool rasterizer_scanline_aa::safe_add(int* op1, int op2) |
| 11 | +{ |
| 12 | + pdfium::base::CheckedNumeric<int> safeOp1 = *op1; |
| 13 | + safeOp1 += op2; |
| 14 | + if(!safeOp1.IsValid()) { |
| 15 | + return false; |
| 16 | + } |
| 17 | + |
| 18 | + *op1 = safeOp1.ValueOrDie(); |
| 19 | + return true; |
| 20 | +} |
| 21 | } |
| 22 | diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.h b/third_party/agg23/agg_rasterizer_scanline_aa.h |
| 23 | index 281933710..eade78333 100644 |
| 24 | --- a/third_party/agg23/agg_rasterizer_scanline_aa.h |
| 25 | +++ b/third_party/agg23/agg_rasterizer_scanline_aa.h |
| 26 | @@ -338,14 +338,33 @@ public: |
| 27 | const cell_aa* cur_cell = *cells; |
| 28 | int x = cur_cell->x; |
| 29 | int area = cur_cell->area; |
| 30 | - cover += cur_cell->cover; |
| 31 | + bool seen_area_overflow = false; |
| 32 | + bool seen_cover_overflow = false; |
| 33 | + if(!safe_add(&cover, cur_cell->cover)) { |
| 34 | + break; |
| 35 | + } |
| 36 | while(--num_cells) { |
| 37 | cur_cell = *++cells; |
| 38 | if(cur_cell->x != x) { |
| 39 | break; |
| 40 | } |
| 41 | - area += cur_cell->area; |
| 42 | - cover += cur_cell->cover; |
| 43 | + if(seen_area_overflow) { |
| 44 | + continue; |
| 45 | + } |
| 46 | + if(!safe_add(&area, cur_cell->area)) { |
| 47 | + seen_area_overflow = true; |
| 48 | + continue; |
| 49 | + } |
| 50 | + if(!safe_add(&cover, cur_cell->cover)) { |
| 51 | + seen_cover_overflow = true; |
| 52 | + break; |
| 53 | + } |
| 54 | + } |
| 55 | + if(seen_area_overflow) { |
| 56 | + continue; |
| 57 | + } |
| 58 | + if(seen_cover_overflow) { |
| 59 | + break; |
| 60 | } |
| 61 | if(area) { |
| 62 | unsigned alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1) - area, no_smooth); |
| 63 | @@ -459,6 +478,7 @@ private: |
| 64 | } |
| 65 | private: |
| 66 | static int calculate_area(int cover, int shift); |
| 67 | + static bool safe_add(int* op1, int op2); |
| 68 | |
| 69 | outline_aa m_outline; |
| 70 | filling_rule_e m_filling_rule; |