diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2018-05-16 13:30:15 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-05-16 13:30:15 +0000 |
commit | a68ee04cfdeb39637a06764dcb924ac806dfdf95 (patch) | |
tree | 4572493605b15dbd3d8672ddbb762ec16740a0e5 /core | |
parent | c3aa483e132526e5f5d150058fcdef9450ba3498 (diff) | |
download | pdfium-a68ee04cfdeb39637a06764dcb924ac806dfdf95.tar.xz |
Verify bidi pos is within range before accessing
This CL verifies that the provided BidiPos is within the acceptable size
for the vector before accessing.
Bug: chromium:843100
Change-Id: I2955a3ca628b19ee51dd4233726b859729c125af
Reviewed-on: https://pdfium-review.googlesource.com/32593
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/fxcrt/cfx_char.h | 6 | ||||
-rw-r--r-- | core/fxcrt/fx_bidi.cpp | 6 |
2 files changed, 8 insertions, 4 deletions
diff --git a/core/fxcrt/cfx_char.h b/core/fxcrt/cfx_char.h index fb625ee038..268aa99c39 100644 --- a/core/fxcrt/cfx_char.h +++ b/core/fxcrt/cfx_char.h @@ -35,9 +35,9 @@ class CFX_Char { uint32_t m_dwCharStyles; int32_t m_iCharWidth; int16_t m_iBidiClass; - int16_t m_iBidiLevel; - int16_t m_iBidiPos; - int16_t m_iBidiOrder; + uint16_t m_iBidiLevel; + uint16_t m_iBidiPos; + uint16_t m_iBidiOrder; int32_t m_iFontSize; uint32_t m_dwIdentity; RetainPtr<Retainable> m_pUserData; diff --git a/core/fxcrt/fx_bidi.cpp b/core/fxcrt/fx_bidi.cpp index 7261d80af3..669fc5bd88 100644 --- a/core/fxcrt/fx_bidi.cpp +++ b/core/fxcrt/fx_bidi.cpp @@ -531,8 +531,12 @@ class CFX_BidiLine { } void Position(std::vector<CFX_Char>* chars, size_t iCount) { - for (size_t i = 0; i < iCount; ++i) + for (size_t i = 0; i < iCount; ++i) { + if ((*chars)[i].m_iBidiPos > iCount) + continue; + (*chars)[(*chars)[i].m_iBidiPos].m_iBidiOrder = i; + } } }; |