summaryrefslogtreecommitdiff
path: root/core/fxge
diff options
context:
space:
mode:
authorochang <ochang@chromium.org>2016-04-11 13:47:41 -0700
committerCommit bot <commit-bot@chromium.org>2016-04-11 13:47:41 -0700
commitb8627c9d13884d48943d8a7a5381eaf0bb2c08d9 (patch)
tree8357843404f8bea28b7930acb888eb853d822a9a /core/fxge
parent184b82553000a41fd0c90be56fa2f1c1503e2e9e (diff)
downloadpdfium-b8627c9d13884d48943d8a7a5381eaf0bb2c08d9.tar.xz
Fix integer issues leading to out of bounds access in fx_ge_text.cpp.
- Using |-skew| to get positive index, which doesn't work when skew is INT_MIN - Incorrect logic when determining when to use |-skew| as an index. R=tsepez@chromium.org,weili@chromium.org BUG=chromium:601362 Review URL: https://codereview.chromium.org/1875673004
Diffstat (limited to 'core/fxge')
-rw-r--r--core/fxge/ge/fx_ge_text.cpp26
-rw-r--r--core/fxge/ge/fx_ge_text_embeddertest.cpp18
2 files changed, 36 insertions, 8 deletions
diff --git a/core/fxge/ge/fx_ge_text.cpp b/core/fxge/ge/fx_ge_text.cpp
index 44ab9f7ab5..e074fa4f26 100644
--- a/core/fxge/ge/fx_ge_text.cpp
+++ b/core/fxge/ge/fx_ge_text.cpp
@@ -4,6 +4,8 @@
// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
+#include <limits>
+
#include "core/fxcodec/include/fx_codec.h"
#include "core/fxge/ge/fx_text_int.h"
#include "core/fxge/include/fx_freetype.h"
@@ -1567,10 +1569,14 @@ CFX_GlyphBitmap* CFX_FaceCache::RenderGlyph(CFX_Font* pFont,
skew = pSubstFont->m_ItalicAngle;
}
if (skew) {
- // skew is nonpositive so -skew is used as the index.
- skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
- ? -58
- : -g_AngleSkew[-skew];
+ // |skew| is nonpositive so |-skew| is used as the index. We need to make
+ // sure |skew| != INT_MIN since -INT_MIN is undefined.
+ if (skew <= 0 && skew != std::numeric_limits<int>::min() &&
+ static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+ skew = -g_AngleSkew[-skew];
+ } else {
+ skew = -58;
+ }
if (pFont->IsVertical())
ft_matrix.yx += ft_matrix.yy * skew / 100;
else
@@ -1833,10 +1839,14 @@ CFX_PathData* CFX_Font::LoadGlyphPath(uint32_t glyph_index, int dest_width) {
if (m_pSubstFont) {
if (m_pSubstFont->m_ItalicAngle) {
int skew = m_pSubstFont->m_ItalicAngle;
- // skew is nonpositive so -skew is used as the index.
- skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
- ? -58
- : -g_AngleSkew[-skew];
+ // |skew| is nonpositive so |-skew| is used as the index. We need to make
+ // sure |skew| != INT_MIN since -INT_MIN is undefined.
+ if (skew <= 0 && skew != std::numeric_limits<int>::min() &&
+ static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+ skew = -g_AngleSkew[-skew];
+ } else {
+ skew = -58;
+ }
if (m_bVertical)
ft_matrix.yx += ft_matrix.yy * skew / 100;
else
diff --git a/core/fxge/ge/fx_ge_text_embeddertest.cpp b/core/fxge/ge/fx_ge_text_embeddertest.cpp
new file mode 100644
index 0000000000..045b6dc869
--- /dev/null
+++ b/core/fxge/ge/fx_ge_text_embeddertest.cpp
@@ -0,0 +1,18 @@
+// Copyright 2016 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "testing/embedder_test.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+class FXGETextEmbedderTest : public EmbedderTest {};
+
+TEST_F(FXGETextEmbedderTest, BadItalic) {
+ // Shouldn't crash.
+ EXPECT_TRUE(OpenDocument("bug_601362.pdf"));
+ FPDF_PAGE page = LoadPage(0);
+ EXPECT_NE(nullptr, page);
+ FPDF_BITMAP bitmap = RenderPage(page);
+ FPDFBitmap_Destroy(bitmap);
+ UnloadPage(page);
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 19:35:51 +0000