diff options
author | Nicolas Pena <npm@chromium.org> | 2017-03-14 15:35:35 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-14 20:18:08 +0000 |
commit | c83c28092f67f352cbd690138151b253dfdf547b (patch) | |
tree | ff8a13e860496ea38cd4449cd5d1363c5ba877a0 /core/fpdfapi/font/cpdf_cidfont.cpp | |
parent | 23a5d7ea73f11ffac00239305e67c1bb46409878 (diff) | |
download | pdfium-c83c28092f67f352cbd690138151b253dfdf547b.tar.xz |
Prevent integer overflow in CPDF_CIDFONT::LoadMetricsArray
The CIDs are unsigned integers. Avoid overflow since they are given as input
from the PDF file.
BUG=chromium:700787
Change-Id: Icdc3efbbd0f4f2ad8d5b4f4f52926e20f7e06391
Reviewed-on: https://pdfium-review.googlesource.com/3052
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core/fpdfapi/font/cpdf_cidfont.cpp')
-rw-r--r-- | core/fpdfapi/font/cpdf_cidfont.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp index 7d14a9ea0a..4c378f7598 100644 --- a/core/fpdfapi/font/cpdf_cidfont.cpp +++ b/core/fpdfapi/font/cpdf_cidfont.cpp @@ -7,6 +7,7 @@ #include "core/fpdfapi/font/cpdf_cidfont.h" #include <algorithm> +#include <limits> #include <vector> #include "core/fpdfapi/cmaps/cmap_int.h" @@ -781,8 +782,8 @@ void CPDF_CIDFont::LoadMetricsArray(CPDF_Array* pArray, int nElements) { int width_status = 0; int iCurElement = 0; - int first_code = 0; - int last_code = 0; + uint32_t first_code = 0; + uint32_t last_code = 0; for (size_t i = 0; i < pArray->GetCount(); i++) { CPDF_Object* pObj = pArray->GetDirectObjectAt(i); if (!pObj) @@ -791,6 +792,11 @@ void CPDF_CIDFont::LoadMetricsArray(CPDF_Array* pArray, if (CPDF_Array* pObjArray = pObj->AsArray()) { if (width_status != 1) return; + if (first_code > + std::numeric_limits<uint32_t>::max() - pObjArray->GetCount()) { + width_status = 0; + continue; + } for (size_t j = 0; j < pObjArray->GetCount(); j += nElements) { result->push_back(first_code); |