Prevent integer overflow in CPDF_CIDFONT::LoadMetricsArray

The CIDs are unsigned integers. Avoid overflow since they are given as input
from the PDF file.

BUG=chromium:700787

Change-Id: Icdc3efbbd0f4f2ad8d5b4f4f52926e20f7e06391
Reviewed-on: https://pdfium-review.googlesource.com/3052
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

1 files changed, 8 insertions, 2 deletions

diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp
index 7d14a9ea0a..4c378f7598 100644
--- a/core/fpdfapi/font/cpdf_cidfont.cpp
+++ b/core/fpdfapi/font/cpdf_cidfont.cpp
@@ -7,6 +7,7 @@
 #include "core/fpdfapi/font/cpdf_cidfont.h"
 
 #include <algorithm>
+#include <limits>
 #include <vector>
 
 #include "core/fpdfapi/cmaps/cmap_int.h"
@@ -781,8 +782,8 @@ void CPDF_CIDFont::LoadMetricsArray(CPDF_Array* pArray,
                                     int nElements) {
   int width_status = 0;
   int iCurElement = 0;
-  int first_code = 0;
-  int last_code = 0;
+  uint32_t first_code = 0;
+  uint32_t last_code = 0;
   for (size_t i = 0; i < pArray->GetCount(); i++) {
     CPDF_Object* pObj = pArray->GetDirectObjectAt(i);
     if (!pObj)
@@ -791,6 +792,11 @@ void CPDF_CIDFont::LoadMetricsArray(CPDF_Array* pArray,
     if (CPDF_Array* pObjArray = pObj->AsArray()) {
       if (width_status != 1)
         return;
+      if (first_code >
+          std::numeric_limits<uint32_t>::max() - pObjArray->GetCount()) {
+        width_status = 0;
+        continue;
+      }
 
       for (size_t j = 0; j < pObjArray->GetCount(); j += nElements) {
         result->push_back(first_code);