summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorHenrique Nakashima <hnakashima@chromium.org>2017-10-19 11:39:32 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-10-19 17:22:05 +0000
commit943360187bb881fe94f14571c955e03f81203573 (patch)
tree44eba5b12f21f38803af898395ccc4cd3345e254 /core
parent68708e4344b9624fe677854321846a4c23b7e226 (diff)
downloadpdfium-943360187bb881fe94f14571c955e03f81203573.tar.xz
Fix integer overflows in cfx_font.cpp.chromium/3245
Bug: chromium:775587 Change-Id: If927ebc0080a53d1c67f0aee5cab525fbcc24260 Reviewed-on: https://pdfium-review.googlesource.com/16290 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxge/cfx_font.cpp25
1 files changed, 18 insertions, 7 deletions
diff --git a/core/fxge/cfx_font.cpp b/core/fxge/cfx_font.cpp
index 11fa45710d..da6b0e0fe3 100644
--- a/core/fxge/cfx_font.cpp
+++ b/core/fxge/cfx_font.cpp
@@ -28,6 +28,9 @@
namespace {
+constexpr int kThousandthMinInt = std::numeric_limits<int>::min() / 1000;
+constexpr int kThousandthMaxInt = std::numeric_limits<int>::max() / 1000;
+
struct OUTLINE_PARAMS {
CFX_PathData* m_pPath;
int m_CurX;
@@ -343,9 +346,11 @@ int CFX_Font::GetGlyphWidth(uint32_t glyph_index) {
if (err)
return 0;
- int width = EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face),
- FXFT_Get_Glyph_HoriAdvance(m_Face));
- return width;
+ int horiAdvance = FXFT_Get_Glyph_HoriAdvance(m_Face);
+ if (horiAdvance < kThousandthMinInt || horiAdvance > kThousandthMaxInt)
+ return 0;
+
+ return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), horiAdvance);
}
bool CFX_Font::LoadEmbedded(const uint8_t* data, uint32_t size) {
@@ -366,16 +371,22 @@ int CFX_Font::GetAscent() const {
if (!m_Face)
return 0;
- return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face),
- FXFT_Get_Face_Ascender(m_Face));
+ int ascender = FXFT_Get_Face_Ascender(m_Face);
+ if (ascender < kThousandthMinInt || ascender > kThousandthMaxInt)
+ return 0;
+
+ return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), ascender);
}
int CFX_Font::GetDescent() const {
if (!m_Face)
return 0;
- return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face),
- FXFT_Get_Face_Descender(m_Face));
+ int descender = FXFT_Get_Face_Descender(m_Face);
+ if (descender < kThousandthMinInt || descender > kThousandthMaxInt)
+ return 0;
+
+ return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), descender);
}
bool CFX_Font::GetGlyphBBox(uint32_t glyph_index, FX_RECT& bbox) {