diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2017-10-19 11:39:32 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-10-19 17:22:05 +0000 |
commit | 943360187bb881fe94f14571c955e03f81203573 (patch) | |
tree | 44eba5b12f21f38803af898395ccc4cd3345e254 /core/fxge/cfx_font.cpp | |
parent | 68708e4344b9624fe677854321846a4c23b7e226 (diff) | |
download | pdfium-943360187bb881fe94f14571c955e03f81203573.tar.xz |
Fix integer overflows in cfx_font.cpp.chromium/3245
Bug: chromium:775587
Change-Id: If927ebc0080a53d1c67f0aee5cab525fbcc24260
Reviewed-on: https://pdfium-review.googlesource.com/16290
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'core/fxge/cfx_font.cpp')
-rw-r--r-- | core/fxge/cfx_font.cpp | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/core/fxge/cfx_font.cpp b/core/fxge/cfx_font.cpp index 11fa45710d..da6b0e0fe3 100644 --- a/core/fxge/cfx_font.cpp +++ b/core/fxge/cfx_font.cpp @@ -28,6 +28,9 @@ namespace { +constexpr int kThousandthMinInt = std::numeric_limits<int>::min() / 1000; +constexpr int kThousandthMaxInt = std::numeric_limits<int>::max() / 1000; + struct OUTLINE_PARAMS { CFX_PathData* m_pPath; int m_CurX; @@ -343,9 +346,11 @@ int CFX_Font::GetGlyphWidth(uint32_t glyph_index) { if (err) return 0; - int width = EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), - FXFT_Get_Glyph_HoriAdvance(m_Face)); - return width; + int horiAdvance = FXFT_Get_Glyph_HoriAdvance(m_Face); + if (horiAdvance < kThousandthMinInt || horiAdvance > kThousandthMaxInt) + return 0; + + return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), horiAdvance); } bool CFX_Font::LoadEmbedded(const uint8_t* data, uint32_t size) { @@ -366,16 +371,22 @@ int CFX_Font::GetAscent() const { if (!m_Face) return 0; - return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), - FXFT_Get_Face_Ascender(m_Face)); + int ascender = FXFT_Get_Face_Ascender(m_Face); + if (ascender < kThousandthMinInt || ascender > kThousandthMaxInt) + return 0; + + return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), ascender); } int CFX_Font::GetDescent() const { if (!m_Face) return 0; - return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), - FXFT_Get_Face_Descender(m_Face)); + int descender = FXFT_Get_Face_Descender(m_Face); + if (descender < kThousandthMinInt || descender > kThousandthMaxInt) + return 0; + + return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), descender); } bool CFX_Font::GetGlyphBBox(uint32_t glyph_index, FX_RECT& bbox) { |