1diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.cpp b/third_party/agg23/agg_rasterizer_scanline_aa.cpp 2index 1fe9a0c32..9254d830d 100644 3--- a/third_party/agg23/agg_rasterizer_scanline_aa.cpp 4+++ b/third_party/agg23/agg_rasterizer_scanline_aa.cpp 5@@ -502,4 +502,16 @@ int rasterizer_scanline_aa::calculate_area(int cover, int shift) 6 result <<= shift; 7 return result; 8 } 9+// static 10+bool rasterizer_scanline_aa::safe_add(int* op1, int op2) 11+{ 12+ pdfium::base::CheckedNumeric<int> safeOp1 = *op1; 13+ safeOp1 += op2; 14+ if(!safeOp1.IsValid()) { 15+ return false; 16+ } 17+ 18+ *op1 = safeOp1.ValueOrDie(); 19+ return true; 20+} 21 } 22diff --git a/third_party/agg23/agg_rasterizer_scanline_aa.h b/third_party/agg23/agg_rasterizer_scanline_aa.h 23index 281933710..eade78333 100644 24--- a/third_party/agg23/agg_rasterizer_scanline_aa.h 25+++ b/third_party/agg23/agg_rasterizer_scanline_aa.h 26@@ -338,14 +338,33 @@ public: 27 const cell_aa* cur_cell = *cells; 28 int x = cur_cell->x; 29 int area = cur_cell->area; 30- cover += cur_cell->cover; 31+ bool seen_area_overflow = false; 32+ bool seen_cover_overflow = false; 33+ if(!safe_add(&cover, cur_cell->cover)) { 34+ break; 35+ } 36 while(--num_cells) { 37 cur_cell = *++cells; 38 if(cur_cell->x != x) { 39 break; 40 } 41- area += cur_cell->area; 42- cover += cur_cell->cover; 43+ if(seen_area_overflow) { 44+ continue; 45+ } 46+ if(!safe_add(&area, cur_cell->area)) { 47+ seen_area_overflow = true; 48+ continue; 49+ } 50+ if(!safe_add(&cover, cur_cell->cover)) { 51+ seen_cover_overflow = true; 52+ break; 53+ } 54+ } 55+ if(seen_area_overflow) { 56+ continue; 57+ } 58+ if(seen_cover_overflow) { 59+ break; 60 } 61 if(area) { 62 unsigned alpha = calculate_alpha(calculate_area(cover, poly_base_shift + 1) - area, no_smooth); 63@@ -459,6 +478,7 @@ private: 64 } 65 private: 66 static int calculate_area(int cover, int shift); 67+ static bool safe_add(int* op1, int op2); 68 69 outline_aa m_outline; 70 filling_rule_e m_filling_rule; 71