summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-03-10 15:46:49 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-03-10 21:32:42 +0000
commite472622d33bdca2316a22ff5ff8d77ac975c2eb2 (patch)
treec41aad4ee5094513ca5f14072a40e5a25429fbdd /core
parent6791295a4e8c99097e6d75870871e128284f8cb5 (diff)
downloadpdfium-e472622d33bdca2316a22ff5ff8d77ac975c2eb2.tar.xz
Bound cbox from tricky faceschromium/3040chromium/3039chromium/3038
The cbox values are long. We should make sure they are not too big before putting them into FX_RECT, which holds integers. The bound is chosen to also avoid overflow when multiplying by 1000. BUG=chromium:699961 Change-Id: Ie4443848e0319348110f7215bd1c909ef19dad9f Reviewed-on: https://pdfium-review.googlesource.com/2956 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/font/cpdf_cidfont.cpp10
1 files changed, 9 insertions, 1 deletions
diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp
index 6d01538f54..b0ae05c8c5 100644
--- a/core/fpdfapi/font/cpdf_cidfont.cpp
+++ b/core/fpdfapi/font/cpdf_cidfont.cpp
@@ -113,6 +113,10 @@ const struct CIDTransform {
{8818, 0, 129, 127, 0, 19, 114}, {8819, 0, 129, 127, 0, 218, 108},
};
+// Boundary values to avoid integer overflow when multiplied by 1000.
+const long kMinCBox = -2147483;
+const long kMaxCBox = 2147483;
+
CPDF_FontGlobals* GetFontGlobals() {
return CPDF_ModuleMgr::Get()->GetPageModule()->GetFontGlobals();
}
@@ -440,11 +444,15 @@ FX_RECT CPDF_CIDFont::GetCharBBox(uint32_t charcode) {
int err = FXFT_Load_Glyph(face, glyph_index,
FXFT_LOAD_IGNORE_GLOBAL_ADVANCE_WIDTH);
if (!err) {
- FXFT_BBox cbox;
FXFT_Glyph glyph;
err = FXFT_Get_Glyph(((FXFT_Face)face)->glyph, &glyph);
if (!err) {
+ FXFT_BBox cbox;
FXFT_Glyph_Get_CBox(glyph, FXFT_GLYPH_BBOX_PIXELS, &cbox);
+ cbox.xMin = std::min(std::max(cbox.xMin, kMinCBox), kMaxCBox);
+ cbox.xMax = std::min(std::max(cbox.xMax, kMinCBox), kMaxCBox);
+ cbox.yMin = std::min(std::max(cbox.yMin, kMinCBox), kMaxCBox);
+ cbox.yMax = std::min(std::max(cbox.yMax, kMinCBox), kMaxCBox);
int pixel_size_x = ((FXFT_Face)face)->size->metrics.x_ppem;
int pixel_size_y = ((FXFT_Face)face)->size->metrics.y_ppem;
if (pixel_size_x == 0 || pixel_size_y == 0) {