Verify bidi pos is within range before accessing

This CL verifies that the provided BidiPos is within the acceptable size for the vector before accessing. Bug: chromium:843100 Change-Id: I2955a3ca628b19ee51dd4233726b859729c125af Reviewed-on: https://pdfium-review.googlesource.com/32593 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
author: Dan Sinclair <dsinclair@chromium.org> 2018-05-16 13:30:15 +0000
committer: Chromium commit bot <commit-bot@chromium.org> 2018-05-16 13:30:15 +0000
commit: a68ee04cfdeb39637a06764dcb924ac806dfdf95 (patch)
tree: 4572493605b15dbd3d8672ddbb762ec16740a0e5 /core/fxcrt/fx_bidi.cpp
parent: c3aa483e132526e5f5d150058fcdef9450ba3498 (diff)
download: pdfium-a68ee04cfdeb39637a06764dcb924ac806dfdf95.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/core/fxcrt/fx_bidi.cpp b/core/fxcrt/fx_bidi.cpp
index 7261d80af3..669fc5bd88 100644
--- a/core/fxcrt/fx_bidi.cpp
+++ b/core/fxcrt/fx_bidi.cpp
@@ -531,8 +531,12 @@ class CFX_BidiLine {
   }
 
   void Position(std::vector<CFX_Char>* chars, size_t iCount) {
-    for (size_t i = 0; i < iCount; ++i)
+    for (size_t i = 0; i < iCount; ++i) {
+      if ((*chars)[i].m_iBidiPos > iCount)
+        continue;
+
       (*chars)[(*chars)[i].m_iBidiPos].m_iBidiOrder = i;
+    }
   }
 };
author	Dan Sinclair <dsinclair@chromium.org>	2018-05-16 13:30:15 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	2018-05-16 13:30:15 +0000
commit	a68ee04cfdeb39637a06764dcb924ac806dfdf95 (patch)
tree	4572493605b15dbd3d8672ddbb762ec16740a0e5 /core/fxcrt/fx_bidi.cpp
parent	c3aa483e132526e5f5d150058fcdef9450ba3498 (diff)
download	pdfium-a68ee04cfdeb39637a06764dcb924ac806dfdf95.tar.xz