diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-06-09 17:55:51 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-06-09 22:18:01 +0000 |
| commit | b83d870b007f25b18e6b7a4ce2a417420d4dcb89 (patch) | |
| tree | ac93373d9041028aca7d50d473c2cf949331a94b | |
| parent | 897c4b922f1fb50b942cda6cab0f4605f8afac3c (diff) | |
| download | pdfium-chromium/3127.tar.xz | |
Fix types for FT_ULong chars in fpdfedittextchromium/3128chromium/3127
FXFT_Get_First(Next)_Char can return large unsigned values. This CL avoids
integer overflow and adds some missing checks regarding the ranges of the
values returned by those methods.
Bug: chromium:727086
Change-Id: Ice7bbb3759e384b7174680a82a2a9380c3611382
Reviewed-on: https://pdfium-review.googlesource.com/6436
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
| -rw-r--r-- | fpdfsdk/fpdfedittext.cpp | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/fpdfsdk/fpdfedittext.cpp b/fpdfsdk/fpdfedittext.cpp index 3deae7ea20..1c3b22d7f3 100644 --- a/fpdfsdk/fpdfedittext.cpp +++ b/fpdfsdk/fpdfedittext.cpp @@ -231,6 +231,8 @@ CPDF_Stream* LoadUnicode(CPDF_Document* pDoc, std::move(pDict)); } +const uint32_t kMaxSimpleFontChar = 0xFF; + void* LoadSimpleFont(CPDF_Document* pDoc, std::unique_ptr<CFX_Font> pFont, const uint8_t* data, @@ -246,21 +248,23 @@ void* LoadSimpleFont(CPDF_Document* pDoc, fontDict->SetNewFor<CPDF_Name>("BaseFont", name); uint32_t glyphIndex; - int currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex); - fontDict->SetNewFor<CPDF_Number>("FirstChar", currentChar); + uint32_t currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex); + if (currentChar > kMaxSimpleFontChar || glyphIndex == 0) + return nullptr; + fontDict->SetNewFor<CPDF_Number>("FirstChar", static_cast<int>(currentChar)); CPDF_Array* widthsArray = pDoc->NewIndirect<CPDF_Array>(); while (true) { widthsArray->AddNew<CPDF_Number>(pFont->GetGlyphWidth(glyphIndex)); - int nextChar = + uint32_t nextChar = FXFT_Get_Next_Char(pFont->GetFace(), currentChar, &glyphIndex); // Simple fonts have 1-byte charcodes only. - if (nextChar > 0xff || glyphIndex == 0) + if (nextChar > kMaxSimpleFontChar || glyphIndex == 0) break; - for (int i = currentChar + 1; i < nextChar; i++) + for (uint32_t i = currentChar + 1; i < nextChar; i++) widthsArray->AddNew<CPDF_Number>(0); currentChar = nextChar; } - fontDict->SetNewFor<CPDF_Number>("LastChar", currentChar); + fontDict->SetNewFor<CPDF_Number>("LastChar", static_cast<int>(currentChar)); fontDict->SetNewFor<CPDF_Reference>("Widths", pDoc, widthsArray->GetObjNum()); CPDF_Dictionary* fontDesc = LoadFontDesc(pDoc, name, pFont.get(), data, size, font_type); @@ -270,6 +274,8 @@ void* LoadSimpleFont(CPDF_Document* pDoc, return pDoc->LoadFont(fontDict); } +const uint32_t kMaxUnicode = 0x10FFFF; + void* LoadCompositeFont(CPDF_Document* pDoc, std::unique_ptr<CFX_Font> pFont, const uint8_t* data, @@ -309,15 +315,15 @@ void* LoadCompositeFont(CPDF_Document* pDoc, fontDesc->GetObjNum()); uint32_t glyphIndex; - int currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex); + uint32_t currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex); // If it doesn't have a single char, just fail - if (glyphIndex == 0) + if (glyphIndex == 0 || currentChar > kMaxUnicode) return nullptr; std::map<uint32_t, uint32_t> to_unicode; std::map<uint32_t, uint32_t> widths; while (true) { - if (currentChar > 0x10FFFF) + if (currentChar > kMaxUnicode) break; widths[glyphIndex] = pFont->GetGlyphWidth(glyphIndex); |