diff options
| author | Tom Sepez <tsepez@chromium.org> | 2021-01-13 23:56:00 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-06 08:59:42 +0000 |
| commit | 78b092862ba7ca62683109ecbe426ceaf49c1d9a (patch) | |
| tree | 381338db8418959d1002fe6be691c8d2b103b1fb | |
| parent | a84e05c57d55130104fb1fa2d4aa5882e41a1fd1 (diff) | |
| download | qtwebengine-chromium-78b092862ba7ca62683109ecbe426ceaf49c1d9a.tar.gz | |
[Backport] CVE-2021-21190: Uninitialized Use in PDFium
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2628044:
Validate return code from FPDF_PageToDevice()
A DCHECK() here isn't sufficient to prevent the use of uninitialized
memory should this someday return false.
Bug: 1166091
Change-Id: I4cfd28653f2e6882f227299d68605be706b75b44
Reviewed-by: K. Moon <kmoon@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843247}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/pdf/pdfium/pdfium_page.cc | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/chromium/pdf/pdfium/pdfium_page.cc b/chromium/pdf/pdfium/pdfium_page.cc index 360fa885baf..e752101f663 100644 --- a/chromium/pdf/pdfium/pdfium_page.cc +++ b/chromium/pdf/pdfium/pdfium_page.cc @@ -557,18 +557,20 @@ pp::Rect PDFiumPage::PageToScreen(const pp::Point& offset, int new_left; int new_top; + if (!FPDF_PageToDevice( + page(), static_cast<int>(start_x), static_cast<int>(start_y), + static_cast<int>(ceil(size_x)), static_cast<int>(ceil(size_y)), rotation, + left, top, &new_left, &new_top)) { + return pp::Rect(); + } int new_right; int new_bottom; - FPDF_BOOL ret = FPDF_PageToDevice( - page(), static_cast<int>(start_x), static_cast<int>(start_y), - static_cast<int>(ceil(size_x)), static_cast<int>(ceil(size_y)), rotation, - left, top, &new_left, &new_top); - DCHECK(ret); - ret = FPDF_PageToDevice( - page(), static_cast<int>(start_x), static_cast<int>(start_y), - static_cast<int>(ceil(size_x)), static_cast<int>(ceil(size_y)), rotation, - right, bottom, &new_right, &new_bottom); - DCHECK(ret); + if (!FPDF_PageToDevice( + page(), static_cast<int>(start_x), static_cast<int>(start_y), + static_cast<int>(ceil(size_x)), static_cast<int>(ceil(size_y)), rotation, + right, bottom, &new_right, &new_bottom)) { + return pp::Rect(); + } // If the PDF is rotated, the horizontal/vertical coordinates could be // flipped. See |