diff options
author | thestig <thestig@chromium.org> | 2016-08-31 13:29:39 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-31 13:29:39 -0700 |
commit | 21b111fcf71e4e189035f29606ca9d3fdf3ebd92 (patch) | |
tree | 0085f06d4a8d3080a104d1842e9cabcaec3141af | |
parent | 07146149674c61eaecf55cdfe6cdf7c31bbf0550 (diff) | |
download | pdfium-chromium/2846.tar.xz |
Attempt to fix potential integer overflow in CFX_FaceCache::LoadGlyphPath().chromium/2846
BUG=641333
Review-Url: https://codereview.chromium.org/2294183002
-rw-r--r-- | core/fxge/ge/cfx_facecache.cpp | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/core/fxge/ge/cfx_facecache.cpp b/core/fxge/ge/cfx_facecache.cpp index d59ae3269e..6c5bba2018 100644 --- a/core/fxge/ge/cfx_facecache.cpp +++ b/core/fxge/ge/cfx_facecache.cpp @@ -23,6 +23,8 @@ namespace { +constexpr uint32_t kInvalidGlyphIndex = static_cast<uint32_t>(-1); + void GammaAdjust(uint8_t* pData, int nHeight, int src_pitch, @@ -224,14 +226,22 @@ CFX_GlyphBitmap* CFX_FaceCache::RenderGlyph(CFX_Font* pFont, const CFX_PathData* CFX_FaceCache::LoadGlyphPath(CFX_Font* pFont, uint32_t glyph_index, int dest_width) { - if (!m_Face || glyph_index == (uint32_t)-1) + if (!m_Face || glyph_index == kInvalidGlyphIndex || dest_width < 0) return nullptr; uint32_t key = glyph_index; - if (pFont->GetSubstFont()) { - key += (((pFont->GetSubstFont()->m_Weight / 16) << 15) + - ((pFont->GetSubstFont()->m_ItalicAngle / 2) << 21) + - ((dest_width / 16) << 25) + (pFont->IsVertical() << 31)); + auto* pSubstFont = pFont->GetSubstFont(); + if (pSubstFont) { + if (pSubstFont->m_Weight < 0 || pSubstFont->m_ItalicAngle < 0) + return nullptr; + uint32_t weight = static_cast<uint32_t>(pSubstFont->m_Weight); + uint32_t angle = static_cast<uint32_t>(pSubstFont->m_ItalicAngle); + uint32_t key_modifier = (weight / 16) << 15; + key_modifier += (angle / 2) << 21; + key_modifier += (static_cast<uint32_t>(dest_width) / 16) << 25; + if (pFont->IsVertical()) + key_modifier += 1U << 31; + key += key_modifier; } auto it = m_PathMap.find(key); if (it != m_PathMap.end()) @@ -249,8 +259,9 @@ const CFX_GlyphBitmap* CFX_FaceCache::LoadGlyphBitmap(CFX_Font* pFont, int dest_width, int anti_alias, int& text_flags) { - if (glyph_index == (uint32_t)-1) + if (glyph_index == kInvalidGlyphIndex) return nullptr; + _CFX_UniqueKeyGen keygen; int nMatrixA = static_cast<int>(pMatrix->a * 10000); int nMatrixB = static_cast<int>(pMatrix->b * 10000); |