diff options
| author | Nicolas Pena <npm@chromium.org> | 2018-08-22 15:15:36 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-22 15:15:36 +0000 |
| commit | 98a245c0d8ee3e403fbb13d90872239948d82abf (patch) | |
| tree | ff3c0e12c5de708a05e21493b4b2ccaf5aecc992 /core | |
| parent | d4f4ce4b9c35db40d2dc3720ba07a83cff1b547d (diff) | |
| download | pdfium-98a245c0d8ee3e403fbb13d90872239948d82abf.tar.xz | |
Fix integer overflow in CPDF_CIDFont::GetCharBBox
Bug: chromium:875924
Change-Id: I85c86d3f90ee62b5593b0b20e44283c5056702ff
Reviewed-on: https://pdfium-review.googlesource.com/40730
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Diffstat (limited to 'core')
| -rw-r--r-- | core/fpdfapi/font/cpdf_cidfont.cpp | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp index e118a91e87..a423daa1bb 100644 --- a/core/fpdfapi/font/cpdf_cidfont.cpp +++ b/core/fpdfapi/font/cpdf_cidfont.cpp @@ -119,8 +119,11 @@ const struct CIDTransform { }; // Boundary values to avoid integer overflow when multiplied by 1000. -const long kMinCBox = -2147483; -const long kMaxCBox = 2147483; +constexpr long kMinCBox = -2147483; +constexpr long kMaxCBox = 2147483; + +// Boundary value to avoid integer overflow when adding 1/64th of the value. +constexpr int kMaxRectTop = 2114445437; CPDF_FontGlobals* GetFontGlobals() { return CPDF_ModuleMgr::Get()->GetPageModule()->GetFontGlobals(); @@ -472,7 +475,10 @@ FX_RECT CPDF_CIDFont::GetCharBBox(uint32_t charcode) { TT2PDF(FXFT_Get_Glyph_HoriBearingY(face) - FXFT_Get_Glyph_Height(face), face)); - rect.top += rect.top / 64; + if (rect.top <= kMaxRectTop) + rect.top += rect.top / 64; + else + rect.top = std::numeric_limits<int>::max(); } } } |