summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2018-05-16 13:30:15 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-05-16 13:30:15 +0000
commita68ee04cfdeb39637a06764dcb924ac806dfdf95 (patch)
tree4572493605b15dbd3d8672ddbb762ec16740a0e5
parentc3aa483e132526e5f5d150058fcdef9450ba3498 (diff)
downloadpdfium-a68ee04cfdeb39637a06764dcb924ac806dfdf95.tar.xz
Verify bidi pos is within range before accessing
This CL verifies that the provided BidiPos is within the acceptable size for the vector before accessing. Bug: chromium:843100 Change-Id: I2955a3ca628b19ee51dd4233726b859729c125af Reviewed-on: https://pdfium-review.googlesource.com/32593 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
-rw-r--r--core/fxcrt/cfx_char.h6
-rw-r--r--core/fxcrt/fx_bidi.cpp6
2 files changed, 8 insertions, 4 deletions
diff --git a/core/fxcrt/cfx_char.h b/core/fxcrt/cfx_char.h
index fb625ee038..268aa99c39 100644
--- a/core/fxcrt/cfx_char.h
+++ b/core/fxcrt/cfx_char.h
@@ -35,9 +35,9 @@ class CFX_Char {
uint32_t m_dwCharStyles;
int32_t m_iCharWidth;
int16_t m_iBidiClass;
- int16_t m_iBidiLevel;
- int16_t m_iBidiPos;
- int16_t m_iBidiOrder;
+ uint16_t m_iBidiLevel;
+ uint16_t m_iBidiPos;
+ uint16_t m_iBidiOrder;
int32_t m_iFontSize;
uint32_t m_dwIdentity;
RetainPtr<Retainable> m_pUserData;
diff --git a/core/fxcrt/fx_bidi.cpp b/core/fxcrt/fx_bidi.cpp
index 7261d80af3..669fc5bd88 100644
--- a/core/fxcrt/fx_bidi.cpp
+++ b/core/fxcrt/fx_bidi.cpp
@@ -531,8 +531,12 @@ class CFX_BidiLine {
}
void Position(std::vector<CFX_Char>* chars, size_t iCount) {
- for (size_t i = 0; i < iCount; ++i)
+ for (size_t i = 0; i < iCount; ++i) {
+ if ((*chars)[i].m_iBidiPos > iCount)
+ continue;
+
(*chars)[(*chars)[i].m_iBidiPos].m_iBidiOrder = i;
+ }
}
};