summaryrefslogtreecommitdiff
path: root/core/fxge
diff options
context:
space:
mode:
authorthestig <thestig@chromium.org>2016-08-31 13:29:39 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-31 13:29:39 -0700
commit21b111fcf71e4e189035f29606ca9d3fdf3ebd92 (patch)
tree0085f06d4a8d3080a104d1842e9cabcaec3141af /core/fxge
parent07146149674c61eaecf55cdfe6cdf7c31bbf0550 (diff)
downloadpdfium-21b111fcf71e4e189035f29606ca9d3fdf3ebd92.tar.xz
Attempt to fix potential integer overflow in CFX_FaceCache::LoadGlyphPath().chromium/2846
BUG=641333 Review-Url: https://codereview.chromium.org/2294183002
Diffstat (limited to 'core/fxge')
-rw-r--r--core/fxge/ge/cfx_facecache.cpp23
1 files changed, 17 insertions, 6 deletions
diff --git a/core/fxge/ge/cfx_facecache.cpp b/core/fxge/ge/cfx_facecache.cpp
index d59ae3269e..6c5bba2018 100644
--- a/core/fxge/ge/cfx_facecache.cpp
+++ b/core/fxge/ge/cfx_facecache.cpp
@@ -23,6 +23,8 @@
namespace {
+constexpr uint32_t kInvalidGlyphIndex = static_cast<uint32_t>(-1);
+
void GammaAdjust(uint8_t* pData,
int nHeight,
int src_pitch,
@@ -224,14 +226,22 @@ CFX_GlyphBitmap* CFX_FaceCache::RenderGlyph(CFX_Font* pFont,
const CFX_PathData* CFX_FaceCache::LoadGlyphPath(CFX_Font* pFont,
uint32_t glyph_index,
int dest_width) {
- if (!m_Face || glyph_index == (uint32_t)-1)
+ if (!m_Face || glyph_index == kInvalidGlyphIndex || dest_width < 0)
return nullptr;
uint32_t key = glyph_index;
- if (pFont->GetSubstFont()) {
- key += (((pFont->GetSubstFont()->m_Weight / 16) << 15) +
- ((pFont->GetSubstFont()->m_ItalicAngle / 2) << 21) +
- ((dest_width / 16) << 25) + (pFont->IsVertical() << 31));
+ auto* pSubstFont = pFont->GetSubstFont();
+ if (pSubstFont) {
+ if (pSubstFont->m_Weight < 0 || pSubstFont->m_ItalicAngle < 0)
+ return nullptr;
+ uint32_t weight = static_cast<uint32_t>(pSubstFont->m_Weight);
+ uint32_t angle = static_cast<uint32_t>(pSubstFont->m_ItalicAngle);
+ uint32_t key_modifier = (weight / 16) << 15;
+ key_modifier += (angle / 2) << 21;
+ key_modifier += (static_cast<uint32_t>(dest_width) / 16) << 25;
+ if (pFont->IsVertical())
+ key_modifier += 1U << 31;
+ key += key_modifier;
}
auto it = m_PathMap.find(key);
if (it != m_PathMap.end())
@@ -249,8 +259,9 @@ const CFX_GlyphBitmap* CFX_FaceCache::LoadGlyphBitmap(CFX_Font* pFont,
int dest_width,
int anti_alias,
int& text_flags) {
- if (glyph_index == (uint32_t)-1)
+ if (glyph_index == kInvalidGlyphIndex)
return nullptr;
+
_CFX_UniqueKeyGen keygen;
int nMatrixA = static_cast<int>(pMatrix->a * 10000);
int nMatrixB = static_cast<int>(pMatrix->b * 10000);