From ad103a1564365c95f4ee4f10261f9604f91f686a Mon Sep 17 00:00:00 2001
From: "victorhsieh@chromium.org"
 <victorhsieh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 15 Nov 2012 07:27:55 +0000
Subject: Security fix: integer overflow on checking image size

Test is left in another CL (codereview.chromiu,.org/11274036) to avoid conflict there.  Hope it's fine.

BUG=160926


Review URL: https://chromiumcodereview.appspot.com/11410081

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@167882 0039d316-1c4b-4281-b951-d872f2087c98
---
 webkit/plugins/ppapi/ppb_image_data_impl.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'webkit')

diff --git a/webkit/plugins/ppapi/ppb_image_data_impl.cc b/webkit/plugins/ppapi/ppb_image_data_impl.cc
index b318b46..4bdcbef 100644
--- a/webkit/plugins/ppapi/ppb_image_data_impl.cc
+++ b/webkit/plugins/ppapi/ppb_image_data_impl.cc
@@ -54,8 +54,8 @@ bool PPB_ImageData_Impl::Init(PP_ImageDataFormat format,
     return false;  // Only support this one format for now.
   if (width <= 0 || height <= 0)
     return false;
-  if (static_cast<int64>(width) * static_cast<int64>(height) * 4 >=
-      std::numeric_limits<int32>::max())
+  if (static_cast<int64>(width) * static_cast<int64>(height) >=
+      std::numeric_limits<int32>::max() / 4)
     return false;  // Prevent overflow of signed 32-bit ints.
 
   format_ = format;
@@ -285,4 +285,3 @@ const SkBitmap* ImageDataNaClBackend::GetMappedBitmap() const {
 
 }  // namespace ppapi
 }  // namespace webkit
-
-- 
cgit v1.1