Fix integer issues leading to out of bounds access in fx_ge_text.cpp.

- Using |-skew| to get positive index, which doesn't work when skew is INT_MIN - Incorrect logic when determining when to use |-skew| as an index. R=tsepez@chromium.org,weili@chromium.org BUG=chromium:601362 Review URL: https://codereview.chromium.org/1875673004
author: ochang <ochang@chromium.org> 2016-04-11 13:47:41 -0700
committer: Commit bot <commit-bot@chromium.org> 2016-04-11 13:47:41 -0700
commit: b8627c9d13884d48943d8a7a5381eaf0bb2c08d9 (patch)
tree: 8357843404f8bea28b7930acb888eb853d822a9a /core/fxge/ge
parent: 184b82553000a41fd0c90be56fa2f1c1503e2e9e (diff)
download: pdfium-b8627c9d13884d48943d8a7a5381eaf0bb2c08d9.tar.xz
2 files changed, 36 insertions, 8 deletions
diff --git a/core/fxge/ge/fx_ge_text.cpp b/core/fxge/ge/fx_ge_text.cpp
index 44ab9f7ab5..e074fa4f26 100644
--- a/core/fxge/ge/fx_ge_text.cpp
+++ b/core/fxge/ge/fx_ge_text.cpp
@@ -4,6 +4,8 @@
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
+#include <limits>
+
 #include "core/fxcodec/include/fx_codec.h"
 #include "core/fxge/ge/fx_text_int.h"
 #include "core/fxge/include/fx_freetype.h"
@@ -1567,10 +1569,14 @@ CFX_GlyphBitmap* CFX_FaceCache::RenderGlyph(CFX_Font* pFont,
       skew = pSubstFont->m_ItalicAngle;
     }
     if (skew) {
-      // skew is nonpositive so -skew is used as the index.
-      skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
-                 ? -58
-                 : -g_AngleSkew[-skew];
+      // |skew| is nonpositive so |-skew| is used as the index. We need to make
+      // sure |skew| != INT_MIN since -INT_MIN is undefined.
+      if (skew <= 0 && skew != std::numeric_limits<int>::min() &&
+          static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+        skew = -g_AngleSkew[-skew];
+      } else {
+        skew = -58;
+      }
       if (pFont->IsVertical())
         ft_matrix.yx += ft_matrix.yy * skew / 100;
       else
@@ -1833,10 +1839,14 @@ CFX_PathData* CFX_Font::LoadGlyphPath(uint32_t glyph_index, int dest_width) {
   if (m_pSubstFont) {
     if (m_pSubstFont->m_ItalicAngle) {
       int skew = m_pSubstFont->m_ItalicAngle;
-      // skew is nonpositive so -skew is used as the index.
-      skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
-                 ? -58
-                 : -g_AngleSkew[-skew];
+      // |skew| is nonpositive so |-skew| is used as the index. We need to make
+      // sure |skew| != INT_MIN since -INT_MIN is undefined.
+      if (skew <= 0 && skew != std::numeric_limits<int>::min() &&
+          static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+        skew = -g_AngleSkew[-skew];
+      } else {
+        skew = -58;
+      }
       if (m_bVertical)
         ft_matrix.yx += ft_matrix.yy * skew / 100;
       else
diff --git a/core/fxge/ge/fx_ge_text_embeddertest.cpp b/core/fxge/ge/fx_ge_text_embeddertest.cpp
new file mode 100644
index 0000000000..045b6dc869
--- /dev/null
+++ b/core/fxge/ge/fx_ge_text_embeddertest.cpp
@@ -0,0 +1,18 @@
+// Copyright 2016 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "testing/embedder_test.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+class FXGETextEmbedderTest : public EmbedderTest {};
+
+TEST_F(FXGETextEmbedderTest, BadItalic) {
+  // Shouldn't crash.
+  EXPECT_TRUE(OpenDocument("bug_601362.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  EXPECT_NE(nullptr, page);
+  FPDF_BITMAP bitmap = RenderPage(page);
+  FPDFBitmap_Destroy(bitmap);
+  UnloadPage(page);
+}
author	ochang <ochang@chromium.org>	2016-04-11 13:47:41 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-04-11 13:47:41 -0700
commit	b8627c9d13884d48943d8a7a5381eaf0bb2c08d9 (patch)
tree	8357843404f8bea28b7930acb888eb853d822a9a /core/fxge/ge
parent	184b82553000a41fd0c90be56fa2f1c1503e2e9e (diff)
download	pdfium-b8627c9d13884d48943d8a7a5381eaf0bb2c08d9.tar.xz