summaryrefslogtreecommitdiff
path: root/core/fpdfapi/font
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2018-08-22 15:15:36 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-22 15:15:36 +0000
commit98a245c0d8ee3e403fbb13d90872239948d82abf (patch)
treeff3c0e12c5de708a05e21493b4b2ccaf5aecc992 /core/fpdfapi/font
parentd4f4ce4b9c35db40d2dc3720ba07a83cff1b547d (diff)
downloadpdfium-98a245c0d8ee3e403fbb13d90872239948d82abf.tar.xz
Fix integer overflow in CPDF_CIDFont::GetCharBBox
Bug: chromium:875924 Change-Id: I85c86d3f90ee62b5593b0b20e44283c5056702ff Reviewed-on: https://pdfium-review.googlesource.com/40730 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Diffstat (limited to 'core/fpdfapi/font')
-rw-r--r--core/fpdfapi/font/cpdf_cidfont.cpp12
1 files changed, 9 insertions, 3 deletions
diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp
index e118a91e87..a423daa1bb 100644
--- a/core/fpdfapi/font/cpdf_cidfont.cpp
+++ b/core/fpdfapi/font/cpdf_cidfont.cpp
@@ -119,8 +119,11 @@ const struct CIDTransform {
};
// Boundary values to avoid integer overflow when multiplied by 1000.
-const long kMinCBox = -2147483;
-const long kMaxCBox = 2147483;
+constexpr long kMinCBox = -2147483;
+constexpr long kMaxCBox = 2147483;
+
+// Boundary value to avoid integer overflow when adding 1/64th of the value.
+constexpr int kMaxRectTop = 2114445437;
CPDF_FontGlobals* GetFontGlobals() {
return CPDF_ModuleMgr::Get()->GetPageModule()->GetFontGlobals();
@@ -472,7 +475,10 @@ FX_RECT CPDF_CIDFont::GetCharBBox(uint32_t charcode) {
TT2PDF(FXFT_Get_Glyph_HoriBearingY(face) -
FXFT_Get_Glyph_Height(face),
face));
- rect.top += rect.top / 64;
+ if (rect.top <= kMaxRectTop)
+ rect.top += rect.top / 64;
+ else
+ rect.top = std::numeric_limits<int>::max();
}
}
}