diff options
author | Lei Zhang <thestig@chromium.org> | 2018-08-20 17:51:49 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-20 17:51:49 +0000 |
commit | 79d8cfb7848c05bc34c2c0a10276c9919a9b4e96 (patch) | |
tree | 7ac28bf9807ed9a338e48f91186aa6b5bc177512 | |
parent | f01e4a5ec03c6b232d41dc878a3640924150f2a7 (diff) | |
download | pdfium-79d8cfb7848c05bc34c2c0a10276c9919a9b4e96.tar.xz |
Avoid an integer overflow in CFX_RTFBreak.
The root cause is an extremely large reserve count. Limit it to the size
of the widget.
BUG=chromium:875282
Change-Id: Ia3bbb07503ce349adc2662731d22317bda7df4ef
Reviewed-on: https://pdfium-review.googlesource.com/40652
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
-rw-r--r-- | xfa/fxfa/cxfa_fffield.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/xfa/fxfa/cxfa_fffield.cpp b/xfa/fxfa/cxfa_fffield.cpp index 7fba69973c..ff28e574e8 100644 --- a/xfa/fxfa/cxfa_fffield.cpp +++ b/xfa/fxfa/cxfa_fffield.cpp @@ -6,6 +6,8 @@ #include "xfa/fxfa/cxfa_fffield.h" +#include <algorithm> + #include "xfa/fwl/cfwl_edit.h" #include "xfa/fwl/cfwl_eventmouse.h" #include "xfa/fwl/cfwl_messagekey.h" @@ -195,6 +197,12 @@ void CXFA_FFField::CapPlacement() { m_rtCaption.Reset(); } else { fCapReserve = caption->GetReserve(); + if (iCapPlacement == XFA_AttributeEnum::Top || + iCapPlacement == XFA_AttributeEnum::Bottom) { + fCapReserve = std::min(fCapReserve, rtWidget.height); + } else { + fCapReserve = std::min(fCapReserve, rtWidget.width); + } CXFA_ContentLayoutItem* pItem = this; if (!pItem->GetPrev() && !pItem->GetNext()) { m_rtCaption = rtWidget; |